worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_min_length 1000;
    gzip_types
        text/plain
        text/css
        application/json
        application/javascript
        application/x-javascript
        text/xml
        application/xml
        application/xml+rss
        text/javascript
        image/svg+xml
        font/woff2;

    server {
        listen 8080;
        server_name _;

        root /usr/share/nginx/html;
        index index.html index.htm;

        # Error pages
        error_page 404 /404.html;
        location = /404.html {
            internal;
        }

        # Main route fallback
        location / {
            try_files $uri $uri/index.html =404;
        }

        # 🚫 Block hidden and sensitive files (e.g., .env, .git)
        location ~ /\.(?!well-known).* {
            deny all;
        }

        # 🚫 Block access to config and archive files
        location ~* \.(cjs|ts|json|sh|zip|log|env)$ {
            deny all;
        }

        # 🧠 Optional: cache static assets for 6 months
        location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg|otf|webp)$ {
            expires 6M;
            access_log off;
            add_header Cache-Control "public";
        }
    }
}