# ══════════════════════════════════════════════════════════════════════
# IBOA ERP — Nginx production optimisé (Lighthouse 90+)
# VPS : sudo cp nginx.conf /etc/nginx/sites-available/iboa-erp
#       sudo ln -s /etc/nginx/sites-available/iboa-erp /etc/nginx/sites-enabled/
#       sudo nginx -t && sudo systemctl reload nginx
# ══════════════════════════════════════════════════════════════════════

# ── Microcache FastCGI (HTML dynamique 1s) ─────────────────────────
fastcgi_cache_path /tmp/nginx_iboa levels=1:2 keys_zone=IBOA_CACHE:50m
    inactive=60m max_size=500m use_temp_path=off;

# Redirection HTTP → HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name erp.iboa-commerce.bf;
    location /.well-known/acme-challenge/ { root /var/www/html; }
    return 301 https://$host$request_uri;
}

# ── Serveur HTTPS principal ────────────────────────────────────────
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name erp.iboa-commerce.bf;

    root  /var/www/iboa/public;
    index index.php;

    # ── SSL / TLS ───────────────────────────────────────────────────
    ssl_certificate     /etc/letsencrypt/live/erp.iboa-commerce.bf/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/erp.iboa-commerce.bf/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    # ── COMPRESSION ─────────────────────────────────────────────────
    # Gzip (compatibilité maximale)
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_min_length 1000;
    gzip_types
        text/plain text/css text/xml text/javascript text/csv
        application/json application/javascript application/xml
        application/x-font-ttf font/opentype image/svg+xml
        application/vnd.ms-fontobject;

    # Brotli (si module ngx_brotli installé)
    # brotli on;
    # brotli_comp_level 6;
    # brotli_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml;

    # ── CACHE ASSETS STATIQUES ──────────────────────────────────────
    # CSS/JS Vite (hash dans le nom → immutable)
    location ~* /build/assets/.*\.(css|js)$ {
        expires 1y;
        add_header Cache-Control "public, immutable, max-age=31536000";
        add_header Vary "Accept-Encoding";
        access_log off;
        try_files $uri =404;
    }

    # Images / polices
    location ~* \.(jpg|jpeg|png|gif|ico|webp|svg|woff|woff2|ttf|eot)$ {
        expires 6M;
        add_header Cache-Control "public, max-age=15552000";
        add_header Vary "Accept-Encoding";
        access_log off;
        try_files $uri =404;
    }

    # ── SÉCURITÉ FICHIERS ────────────────────────────────────────────
    location ~ /\.(env|git|htaccess|gitignore) {
        deny all; return 404;
    }
    location ~ ^/(vendor|node_modules|storage/logs|database|deploy)/ {
        deny all; return 404;
    }

    # ── ROUTES LARAVEL ───────────────────────────────────────────────
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # ── PHP-FPM + FastCGI CACHE ──────────────────────────────────────
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_buffers        16 16k;
        fastcgi_buffer_size    32k;
        fastcgi_read_timeout   120;
        fastcgi_send_timeout   120;
        fastcgi_connect_timeout 10;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT   $realpath_root;
        fastcgi_hide_header X-Powered-By;

        # FastCGI microcache (HTML 1s — invalide sur POST/cookie)
        fastcgi_cache_bypass  $cookie_session $http_authorization;
        fastcgi_no_cache      $cookie_session $http_authorization;
        fastcgi_cache         IBOA_CACHE;
        fastcgi_cache_valid   200 1s;
        fastcgi_cache_valid   302 5s;
        fastcgi_cache_lock    on;
        add_header X-Cache-Status $upstream_cache_status;
    }

    # ── HEADERS SÉCURITÉ ────────────────────────────────────────────
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header X-Frame-Options           "DENY" always;
    add_header Referrer-Policy           "same-origin" always;
    add_header Permissions-Policy        "camera=(), microphone=(), geolocation=(), payment=()" always;

    # ── LIMITES ──────────────────────────────────────────────────────
    client_max_body_size 25M;  # photos employés + pièces jointes + imports Excel

    # ── LOGS ─────────────────────────────────────────────────────────
    access_log /var/log/nginx/iboa_erp_access.log combined buffer=64k flush=5m;
    error_log  /var/log/nginx/iboa_erp_error.log  warn;
}