server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name edu.libraryofcode.org;

    ssl_certificate /etc/nginx/ssl/org.chain.crt;
    ssl_certificate_key /etc/nginx/ssl/org.key.pem;

    root /opt/moodle;

    index index.html index.htm index.php;

    error_page 404 /error/index.php;    error_page 403 =404 /error/index.php;

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_pass unix:/run/php/php8.0-fpm_moodle.sock;
        include fastcgi_params;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_read_timeout 300;
        proxy_read_timeout 300;
    }

    location /dataroot/ {
        internal;
        alias /var/opt/moodledata/; # ensure the path ends with /
    }

    # Hide all dot files but allow "Well-Known URIs" as per RFC 5785
    location ~ /\.(?!well-known).* {
        return 404;
    }

    # This should be after the php fpm rule and very close to the last nginx ruleset.
    # Don't allow direct access to various internal files. See MDL-69333
    location ~ (/vendor/|/node_modules/|composer\.json|/readme|/README|readme\.txt|/upgrade\.txt|db/install\.xml|/fixtures/|/behat/|phpunit\.xml|\.lock|environment\.xml) {
        deny all;
        return 404;
    }
}