From 31106e098f824e8c5d0c56f162daa6db5988a929 Mon Sep 17 00:00:00 2001
From: pieter <pieter@noreply.git.cafepieters.com>
Date: Sat, 7 Feb 2026 01:44:12 +0000
Subject: [PATCH] =?UTF-8?q?=E3=83=AA=E3=82=A2=E3=83=ABIP=E5=AF=BE=E5=BF=9C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 templates/configmap-nginx.yaml | 92 ++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 templates/configmap-nginx.yaml

diff --git a/templates/configmap-nginx.yaml b/templates/configmap-nginx.yaml
new file mode 100644
index 0000000..9e6a0e2
--- /dev/null
+++ b/templates/configmap-nginx.yaml
@@ -0,0 +1,92 @@
+{{- if .Values.nginx.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "phpfpm.fullname" . }}-nginx-config
+  labels:
+    {{- include "phpfpm.labels" . | nindent 4 }}
+data:
+  default.conf: |
+    {{- if or .Values.nginx.forwardRealIP.enabled (and .Values.nginx.customConfig.enabled .Values.nginx.customConfig.httpSnippet) }}
+    # HTTP-level configuration
+    {{- if .Values.nginx.forwardRealIP.enabled }}
+    # Real IP forwarding configuration
+    real_ip_header {{ .Values.nginx.forwardRealIP.header }};
+    {{- if .Values.nginx.forwardRealIP.recursive }}
+    real_ip_recursive on;
+    {{- end }}
+    
+    # Trusted proxy networks
+    {{- range .Values.nginx.forwardRealIP.trustedProxies }}
+    set_real_ip_from {{ . }};
+    {{- end }}
+    {{- range .Values.nginx.forwardRealIP.additionalTrustedProxies }}
+    set_real_ip_from {{ . }};
+    {{- end }}
+    {{- end }}
+    
+    {{- if and .Values.nginx.customConfig.enabled .Values.nginx.customConfig.httpSnippet }}
+    # Custom HTTP-level configuration
+    {{ .Values.nginx.customConfig.httpSnippet | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    
+    server {
+        listen 8080;
+        server_name _;
+        root /var/www/html;
+        index index.php index.html;
+        
+        # Security headers
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        
+        {{- if and .Values.nginx.customConfig.enabled .Values.nginx.customConfig.serverSnippet }}
+        # Custom server-level configuration
+        {{ .Values.nginx.customConfig.serverSnippet | nindent 8 }}
+        {{- end }}
+        
+        # Health check endpoint
+        location /health {
+            access_log off;
+            return 200 "healthy\n";
+            add_header Content-Type text/plain;
+        }
+        
+        # Default location block
+        location / {
+            try_files $uri $uri/ /index.php?$query_string;
+        }
+        
+        # PHP-FPM handler
+        location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass 127.0.0.1:9000;
+            fastcgi_index index.php;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+            
+            {{- if .Values.nginx.forwardRealIP.enabled }}
+            # Pass real IP information to PHP-FPM
+            fastcgi_param REMOTE_ADDR $remote_addr;
+            fastcgi_param HTTP_X_REAL_IP $realip_remote_addr;
+            fastcgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
+            {{- end }}
+            
+            # Standard FastCGI parameters
+            fastcgi_param SERVER_NAME $host;
+            fastcgi_param SERVER_PORT $server_port;
+            fastcgi_param HTTPS $https if_not_empty;
+        }
+        
+        # Deny access to hidden files
+        location ~ /\. {
+            deny all;
+            access_log off;
+            log_not_found off;
+        }
+    }
+{{- end }}
\ No newline at end of file