From cb2970e0bba91c785549d950ac5c095c2a56f1c1 Mon Sep 17 00:00:00 2001
From: CryptoTitan <thomas@cryptotitan.io>
Date: Fri, 13 Dec 2024 20:35:15 +0100
Subject: [PATCH] Update default.conf

---
 src/default.conf | 43 +++++++++++++++++++++++++++++--------------
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/src/default.conf b/src/default.conf
index aedbfc0..0e0933e 100644
--- a/src/default.conf
+++ b/src/default.conf
@@ -1,13 +1,19 @@
-
 server {
     listen 80 default_server;
-    listen [::]:80 default_server;  
+    listen [::]:80 default_server;
     server_name _;
+
     # Add index.php to setup Nginx, PHP & PHP-FPM config
-    index index.php index.html index.htm index.nginx-debian.html;    error_log  /var/log/nginx/error.log;
+    index index.php index.html index.htm index.nginx-debian.html;
+    error_log /var/log/nginx/error.log;
     access_log /var/log/nginx/access.log;
     root /var/www/html;
-    # pass PHP scripts on Nginx to FastCGI (PHP-FPM) server
+
+    # Trust Traefik headers for SSL detection
+    set_real_ip_from 0.0.0.0/0; # Replace with Traefik's IP range if known
+    real_ip_header X-Forwarded-For;
+
+    # Location block to pass PHP scripts to FastCGI (PHP-FPM) server
     location ~ \.php$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
@@ -17,25 +23,34 @@ server {
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $fastcgi_path_info;
-        
+
+        # Enable SSL trust for Traefik
+        if ($http_x_forwarded_proto = 'https') {
+            set $https on;
+        }
+
+        fastcgi_param HTTPS $https;
+        fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
     }
+
     client_max_body_size 15M;
     server_tokens off;
 
-     # Hide PHP headers 
+    # Hide PHP headers
     fastcgi_hide_header X-Powered-By; 
     fastcgi_hide_header X-CF-Powered-By;
     fastcgi_hide_header X-Runtime;
 
+    # Location for static files and routing
     location / {
         try_files $uri $uri/ /index.php?$query_string;
         gzip_static on;
     }
-  # deny access to Apache .htaccess on Nginx with PHP, 
-  # if Apache and Nginx document roots concur
-  location ~ /\.ht    {deny all;}
-	location ~ /\.svn/  {deny all;}
-	location ~ /\.git/  {deny all;}
-	location ~ /\.hg/   {deny all;}
-	location ~ /\.bzr/  {deny all;}
-}
\ No newline at end of file
+
+    # Deny access to sensitive files
+    location ~ /\.ht    { deny all; }
+    location ~ /\.svn/  { deny all; }
+    location ~ /\.git/  { deny all; }
+    location ~ /\.hg/   { deny all; }
+    location ~ /\.bzr/  { deny all; }
+}