# nginx-example.conf — Example Nginx virtual host for CyberChat server { listen 80; server_name chat.yourdomain.com; # Redirect HTTP to HTTPS return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name chat.yourdomain.com; # SSL — update paths to your certs ssl_certificate /etc/letsencrypt/live/chat.yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/chat.yourdomain.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; root /var/www/html/cyberchat; index index.html index.php; client_max_body_size 16m; # Serve static files directly location ~* \.(css|js|ico|png|jpg|woff2?)$ { expires 7d; add_header Cache-Control "public, immutable"; } # Never execute files from the voice upload directory location ~ ^/uploads/voice/.*\.(php|phtml|phar|cgi|pl|py|sh)$ { deny all; return 404; } # PHP files location ~ \.php$ { fastcgi_pass unix:/run/php/php8.1-fpm.sock; # adjust PHP version fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # Block direct access to storage and internal libraries location ~ ^/(db|archive|lib)/ { deny all; return 404; } # Block credentials and SQLite sidecar files location = /config.json { deny all; return 404; } location ~* \.sqlite($|-wal$|-shm$) { deny all; return 404; } # Block dotfiles such as .htaccess and .gitignore location ~ /\. { deny all; return 404; } # Default location / { try_files $uri $uri/ =404; } }