webserver-config/site-config.conf

# HTTP redirect
server {
    listen 80;
    listen [::]:80;
    server_name .$DOMAIN;
    return 301 https://$host$request_uri;
}

# HTTPS server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .$DOMAIN;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
    include snippets/ssl.conf;

    # Check for banned IPs
    if ($is_banned) {
        rewrite ^ @banned last;
    }

    # Banned location handler
    location @banned {
        internal;
        add_header Content-Type text/plain;
        return 403 "403 Forbidden (IP temporarily banned)\n";
    }

    # Apply general rate limit
    limit_req zone=general burst=100 nodelay;

    # Content Security Policy and other security headers
    set $content_security_policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN";
    add_header Content-Security-Policy $content_security_policy always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # Subdomain handling
    set $subdomain '';
    set $site_root "/var/www/$DOMAIN/_main";
    if ($host ~* ^([^.]+)\.$DOMAIN$) {
        set $subdomain $1;
        set $site_root "/var/www/$DOMAIN/subdomains/$subdomain";
    }
    root "$site_root/www";

    # Default error page config
    include snippets/error-pages.conf;

    # Basic settings
    index index.html index.htm index.php;
    client_max_body_size 20M;

    # Include site-specific configurations
    include /var/www/$DOMAIN/nginx/*.conf;

    # Block .ht* files
    location ~ /\.ht {
        deny all;
    }

    # Main location block
    location / {
        try_files $uri $uri/ @router;
    }

    # Router handling
    location @router {
        if (!-f $document_root/router.php) {
            return 404;
        }
        limit_req zone=php burst=20 nodelay;
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/router.php;
    }

    # Basic PHP configuration
    location ~ \.php$ {
        limit_req zone=php burst=20 nodelay;
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Static file handling (matches any file extension except .php)
    location ~* ^.+\.((?!php).)*$ {
        # Caching and security headers
        expires 30d;
        add_header Cache-Control "public, no-transform";
        add_header Content-Security-Policy $content_security_policy always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        # Try to serve the file directly
        try_files $uri $uri/ =404;
    }

    # Logging
    access_log /var/log/nginx/access.log domain_combined;
    error_log /var/log/nginx/error.log;
    access_log "/var/www/$DOMAIN/logs/access.log" domain_combined;
    error_log "/var/www/$DOMAIN/logs/error.log";
}