server {
  listen 80 default_server;
  listen [::]:80 default_server;

  # ACME
  location ^~ /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
    allow all;
  }

  # Wenn SSL da: redirect auf 443, sonst direkt App
  {% if ssl %}
  return 301 https://$host$request_uri;
  {% endif %}
}

server {
  listen 443 ssl${NGINX_HTTP2_SUFFIX};
  listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};

  ssl_certificate     ${UI_CERT};
  ssl_certificate_key ${UI_KEY};
  ssl_protocols       TLSv1.2 TLSv1.3;

  server_name _;

  root ${APP_DIR}/public;
  index index.php index.html;

  access_log /var/log/nginx/app_ssl_access.log;
  error_log  /var/log/nginx/app_ssl_error.log;

  client_max_body_size 25m;

  location / { try_files $uri $uri/ /index.php?$query_string; }
  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    # Der pass (unix vs tcp) wird vom System gesetzt; Debian snippet kümmert sich
    fastcgi_pass unix:/run/php/php-fpm.sock;
    try_files $uri =404;
  }
  location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }

  # WebSocket: Laravel Reverb
  location /ws/ {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
    proxy_pass http://127.0.0.1:8080/;
  }

  # Reverb HTTP API
  location /apps/ {
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
    proxy_pass http://127.0.0.1:8080/apps/;
  }
}