# /etc/nginx/sites-available/monitor.yourdomain.com
#
# PHP-only monitoring stack — no Node, no WebSocket proxy.

# -------- HTTP → HTTPS redirect --------
server {
    listen 80;
    listen [::]:80;
    server_name monitor.yourdomain.com;
    return 301 https://$host$request_uri;
}

# -------- HTTPS --------
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name monitor.yourdomain.com;

    # TLS (generate with certbot)
    ssl_certificate     /etc/letsencrypt/live/monitor.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/monitor.yourdomain.com/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header X-Frame-Options           "DENY" always;
    add_header Referrer-Policy           "strict-origin-when-cross-origin" always;

    client_max_body_size 32k;

    root /var/www/monitoring/dashboard;
    index index.html;

    # ----- Dashboard (static files) -----
    location / {
        try_files $uri $uri/ =404;
    }

    # ----- PHP APIs (ingest + query) -----
    location ~ ^/api/(ingest|query)\.php$ {
        root /var/www/monitoring/php;
        rewrite ^/api/(.+)$ /api/$1 break;

        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;

        limit_req zone=ingest burst=50 nodelay;
    }

    # Block any other PHP access
    location ~ \.php$ { return 404; }
}

# --------------------------------------------------------------------
# Add to http{} block in /etc/nginx/nginx.conf (once):
#
#   limit_req_zone $binary_remote_addr zone=ingest:10m rate=20r/s;
#
# This allows ~20 req/sec per IP to /api with a 50-request burst.
# --------------------------------------------------------------------