# ─────────────────────────────────────────────────────────────────────────────
# SureRightStay — Nginx storage fix for production
#
# PROBLEM: Laravel uses a symlink (public/storage → storage/app/public)
#          created by `php artisan storage:link`. Nginx's default behaviour
#          is `disable_symlinks on` which returns 403 Forbidden for any file
#          accessed through a symlink. This is the root cause of the 403 errors
#          seen in production when browsing uploaded images.
#
# SOLUTION: Add a dedicated `location /storage` block that uses `alias` to
#           point directly at the real directory, bypassing the symlink entirely.
#           This is faster AND avoids the symlink permission issue.
#
# HOW TO USE:
#   Include this file inside your server {} block in your main nginx site config:
#
#     server {
#         ...
#         include /path/to/portalapi/deployment/nginx-storage.conf;
#         ...
#     }
#
#   OR copy the location blocks directly into your server {} config.
# ─────────────────────────────────────────────────────────────────────────────

# Serve uploaded files (property images, profile pictures, documents) directly
# from storage/app/public — no symlink involved.
location ^~ /storage/ {
    # Replace this path with the absolute path to your storage/app/public directory
    alias /var/www/html/portalapi/storage/app/public/;

    # Security: only allow image and document file types
    location ~* \.(webp|jpg|jpeg|png|gif|pdf|doc|docx)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        add_header X-Content-Type-Options "nosniff";
        try_files $uri =404;
    }

    # Deny everything else (PHP, shell scripts, etc.)
    location ~ \.(php|sh|env)$ {
        deny all;
    }

    try_files $uri =404;
}

# ─────────────────────────────────────────────────────────────────────────────
# ALTERNATIVE: If you prefer to keep the symlink and just allow nginx to follow
# it, add this inside your http {} block in nginx.conf (NOT server {} block):
#
#   disable_symlinks off;
#
# This is less secure (allows any symlink to be followed) but simpler.
# The alias approach above is recommended for production.
# ─────────────────────────────────────────────────────────────────────────────
