server {
    server_name hub.example.org;

    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    server_name hub.example.org;

    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    ## Quic and HTTP3 Requires Nginx >= 1.25.0
    ## https://nginx.org/en/docs/quic.html
    # listen [::]:443 quic reuseport;
    # listen 443 quic reuseport;
    # http3 on;

    ## Headers for Quic and HTTP3
    # add_header alt-svc 'h3=":443"; ma=86400' always;

    ## SSL Cerver certificat settings
    ssl_certificate /etc/letsencrypt/live/hub.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hub.example.org/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/hub.example.org/chain.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    ## Basic folder and files settings
    root /var/www/hub.example.org;
    index index.php;

    ## How big files are users allowed to upload
    client_max_body_size 20m;
    client_body_buffer_size 128k;

    include mime.types;

    location / {
        try_files $uri /index.php?q=$uri&$args;
    }

    location ^~ /.well-known/ {
        allow all;
        try_files $uri /index.php?q=$uri&$args;
    }

    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|map|ttf|woff|woff2|svg)$ {
        expires max;
        try_files $uri /index.php?q=$uri&$args;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_param HTTPS $https;
    }

    ## block hidden files, extensions, and directories
    location ~* \.(bak|tpl|md|tgz|log|out)$ {
        deny all;
    }

    location ~* /(?:\.git|store|util)(?:/|$) {
        deny all;
    }
}