server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    root /var/www/portal;
    index index.php index.html;

    # Access logging -- feeds into Blue's observation
    access_log /var/log/nginx/access.log combined;
    error_log /var/log/nginx/error.log;

    # Main site
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # PHP processing
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }

    # API endpoints
    location /api/ {
        try_files $uri $uri/ /api/index.php?$args;
    }

{% if search_endpoint is defined %}
    # Search endpoint (potential injection point)
    location /search {
        try_files $uri /search.php?$args;
    }
{% endif %}

{% if download_endpoint is defined %}
    # File download endpoint (potential traversal point)
    location /download {
        try_files $uri /download.php?$args;
    }
{% endif %}

    # Deny access to hidden files
    location ~ /\. {
        deny all;
    }
}