# ─────────────────────────────────────────────────────────────────────────────
#  Nginx configuration for GHL ↔ 3CX Bridge
#  Place this inside your server {} block or as a separate vhost.
#  Assumes PHP 8.1-FPM. Adjust socket path if needed.
# ─────────────────────────────────────────────────────────────────────────────

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    # SSL — use Let's Encrypt (certbot) or your own cert
    ssl_certificate     /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    root /var/www/ghl-3cx-bridge;

    # Disable directory listing
    autoindex off;

    # ── Telnyx webhook endpoints ─────────────────────────────────────────────
    location ~ ^/telnyx/(inbound|status)\.php$ {
        include        fastcgi_params;
        fastcgi_pass   unix:/run/php/php8.1-fpm.sock;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param  HTTPS on;

        # Allow only Telnyx IP ranges (optional but recommended)
        # Telnyx webhook IPs: https://developers.telnyx.com/docs/webhooks/ip-allowlisting
        # allow 34.200.0.0/16;
        # deny  all;
    }

    # ── 3CX webhook endpoint ─────────────────────────────────────────────────
    location ~ ^/webhook/3cx_events\.php$ {
        include        fastcgi_params;
        fastcgi_pass   unix:/run/php/php8.1-fpm.sock;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param  HTTPS on;
    }

    # ── Block everything else ─────────────────────────────────────────────────
    location / {
        return 404;
    }

    # Block access to sensitive files
    location ~ \.(env|log|json|md)$ {
        return 403;
    }
}

# Redirect HTTP → HTTPS
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}