upstream php-handler{{ app_instance_id }} {
    server unix:/var/run/php/php{{ php_version }}-fpm-{{ app_user }}.sock;
}


map $http_user_agent $log_ua {
  ~Monit 0;
  default 1;
}

server {
  listen 80;
  listen [::]:80;
  server_name {{ app_domain | mandatory }};
  # enforce https
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name {{ app_domain }};

  ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem;

  # Add headers to serve security related headers
  # Before enabling Strict-Transport-Security headers please read into this
  # topic first.
  # add_header Strict-Transport-Security "max-age=15768000;
  # includeSubDomains; preload;";
  #
  # WARNING: Only add the preload option once you read about
  # the consequences in https://hstspreload.org/. This option
  # will add the domain to a hardcoded list that is shipped
  # in all major browsers and getting removed from this list
  # could take several months.
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag all; # https://developers.google.com/search/docs/advanced/robots/robots_meta_tag
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header Strict-Transport-Security "max-age=15768000";

  access_log {{ www_log }}/{{ app_instance_id }}/access.log combined if=$log_ua;
  error_log {{ www_log }}/{{ app_instance_id }}/error.log;

  include {{ app_instance_www_root }}/nginx/*.conf;


  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;

  # Enable gzip but do not remove ETag headers
  gzip on;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

  location / {

    # Path to source
    alias {{ app_instance_www_root }}/;

    if ($scheme = http) {
      rewrite ^ https://$server_name$request_uri? permanent;
    }

    index  index.php index.html ;
    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
      if (!-e $request_filename) {
        rewrite ^/?(.*)$ /_route.php?/$1 last;
        break;
      }
      fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm-{{ app_user }}.sock;
      fastcgi_index index.php;
      include fastcgi_params;
      fastcgi_param REMOTE_USER $remote_user;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param SCRIPT_FILENAME $request_filename;
    }

    location ~ ^/(protected|framework|themes/\w+/views|\.|uploads/file) {
      deny all;
    }

    location ~ ^/(assets|static|themes|uploads) {
      expires 10d;
      add_header Cache-Control "public, no-transform";
    }

    # Increase size limit
    client_max_body_size 2M;
  }  

}