worker_processes auto;
events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server_tokens off; # Hide Nginx version for security

    server {
        listen 80;
        server_name _; # Change to your domain if needed

        root /usr/share/nginx/html/owa;
        index index.php index.html;

        # Logging (Optional)
        access_log /var/log/nginx/owa_access.log;
        error_log  /var/log/nginx/owa_error.log;

        # Serve static files directly
        location ~* \.(css|js|gif|png|jpg|jpeg|ico|woff|woff2|ttf|svg|eot|otf)$ {
            expires max;
            log_not_found off;
        }

        # Pass PHP scripts to PHP-FPM
        location ~ \.php$ {
            include fastcgi_params;
            fastcgi_pass php:9000; # PHP container (same as `php` service in Docker)
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }

        # Handle OWA tracking requests
        location ~* ^/modules/base/js.php$ {
            include fastcgi_params;
            fastcgi_pass php:9000;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            expires max;
            add_header Cache-Control "public, max-age=31536000, immutable";
        }

        location ~* ^/owa.php$ {
            include fastcgi_params;
            fastcgi_pass php:9000;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }

        # Deny access to sensitive files
        location ~* /(config|logs|cache|modules/base/i18n)/ {
            deny all;
        }

        # Security headers
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
    }
}