user  nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    upstream php-upstream {
        server php:9000;
    }

    # Redirect HTTP -> HTTPS only if SSL_MODE is not 'none'
    server {
        listen 80;
        server_name ${DNS};

        if ($scheme = http) {
            return 301 https://$host$request_uri;
        }

        root /var/www/app/public;
        index index.php index.html;

        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }

        location ~ \.php$ {
            fastcgi_pass php-upstream;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /var/www/app/public$fastcgi_script_name;
            include fastcgi_params;
        }
    }

    # HTTPS block (self-signed or real certs)
    server {
        listen 443 ssl;
        server_name ${DNS};

        ssl_certificate     /etc/nginx/certs/${SSL_MODE}.crt;
        ssl_certificate_key /etc/nginx/certs/${SSL_MODE}.key;

        root /var/www/app/public;
        index index.php index.html;

        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }

        location ~ \.php$ {
            fastcgi_pass php-upstream;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /var/www/app/public$fastcgi_script_name;
            include fastcgi_params;
        }
    }
}