server {
    listen 80;
    server_name _;
    root /var/www/html/public;
    index index.php;

    # Security
    server_tokens off;

    # Handle Symfony routes
    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    # PHP-FPM configuration
    location ~ ^/index\.php(/|$) {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        
        # Production environment
        fastcgi_param APP_ENV prod;
        
        # Hide PHP version
        fastcgi_hide_header X-Powered-By;
        
        # Security
        internal;
    }

    # Return 404 for all other PHP files
    location ~ \.php$ {
        return 404;
    }

    # Static assets caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # Deny access to sensitive files
    location ~ /\. {
        deny all;
    }

    location ~ /(vendor|var|config|migrations|src)/ {
        deny all;
    }

    # Health check endpoint
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }
}