# This server block is the publicly exposed ServNest control interface

log_format servnest '|$time_local| [$ip_start]@$server_name $status $body_bytes_sent "$request"';
server {
	listen [::1]:42443 ssl http2;
	listen 127.0.0.1:42443 ssl http2;
	server_name servnest.test;

	root /srv/servnest/core;

	include inc/messages.conf;

	more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none';";

	# Main ServNest interface
	location / {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass unix:/run/php-fpm/servnest.sock;
		include inc/fastcgi.conf;
		try_files /router.php =500;
	}

	# The router doesn't manage CSS files
	location /css {
		alias /srv/servnest/core/css;
	}

	location /docs {
		alias /srv/servnest/docs;
	}

	access_log /var/log/nginx/servnest-access.log servnest if=$loggable;

	# For a public server, these should point to a Let's Encrypt-trusted key pair
	ssl_certificate /etc/ssl/certs/servnest.test.crt;
	ssl_certificate_key /etc/ssl/private/servnest.test.key;
}
map $request_method $loggable { # Log only POST requests
	"POST" 1;
	default 0;
}
map $remote_addr $ip_start {
	"~^(?P<ipv6_start>[^:]+:[^:]+)" $ipv6_start; # Log 4 first bytes for IPv6
	"~^(?P<ipv4_start>[^.]+\.[^.]+\.[^.]+)" $ipv4_start; # Log 3 first bytes for IPv4
	default $remote_addr;
}