# U Super Shop — Nginx Config (10,000+ concurrent users)
# Place in: /etc/nginx/sites-available/usuper.shop

server {
    listen 80;
    server_name usuper.shop www.usuper.shop;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name usuper.shop www.usuper.shop;
    root /var/www/usuper-shop/public;
    index index.php;

    # SSL
    ssl_certificate     /etc/letsencrypt/live/usuper.shop/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/usuper.shop/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    # Gzip Compression (speeds up 3-5x)
    gzip on;
    gzip_vary on;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript
               application/xml+rss application/atom+xml image/svg+xml;

    # Browser Caching (static files)
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|svg|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

    # Hide server info
    server_tokens off;

    # Rate limiting
    limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
    limit_req_zone $binary_remote_addr zone=api:10m rate=60r/m;
    limit_req_zone $binary_remote_addr zone=general:10m rate=120r/m;
    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
    limit_conn conn_limit 20;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
        limit_req zone=general burst=20 nodelay;
    }

    location /login {
        try_files $uri $uri/ /index.php?$query_string;
        limit_req zone=login burst=3 nodelay;
    }

    location ~ /api/ {
        try_files $uri $uri/ /index.php?$query_string;
        limit_req zone=api burst=10 nodelay;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        # FastCGI caching
        fastcgi_cache_bypass $no_cache;
        fastcgi_no_cache $no_cache;
        fastcgi_read_timeout 300;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
    }

    # Block bad bots & scanners
    location ~* (eval\(|base64_encode|GLOBALS|_REQUEST|boot\.ini|etc/passwd|self/environ) {
        return 403;
    }

    # Block hidden files
    location ~ /\. { deny all; }
    location ~ /(vendor|node_modules|\.env|\.git) { deny all; return 403; }

    # Max upload size
    client_max_body_size 10M;
    client_body_timeout 30s;
    client_header_timeout 30s;
    keepalive_timeout 15s;
    send_timeout 30s;
}