server {
    listen 80;
    server_name {SERVER_NAMES};
    index index.php index.html index.htm default.php default.htm default.html;
    root {ROOT_PATH};

    # Error pages
    error_page 404 /404.html;
    error_page 502 /502.html;

    # ACME HTTP-01 (Let's Encrypt). Prefix match beats regex; explicit root; no try_files so server error_page cannot mask failures.
    location ^~ /.well-known/acme-challenge/ {
        root {ROOT_PATH};
        default_type "text/plain";
        allow all;
        access_log off;
    }

    # Force HTTPS (skipped for ACME — see if block)
    {FORCE_HTTPS_BLOCK}

    # Custom redirects
    {REDIRECTS_BLOCK}

    # Static assets
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
        expires 30d;
        access_log off;
    }
    location ~ .*\.(js|css)?$ {
        expires 12h;
        access_log off;
    }

    # PHP
    location ~ \.php$ {
        fastcgi_pass unix:/tmp/php-cgi-{PHP_VERSION}.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
    }

    access_log {LOGS_PATH}/{SITE_NAME}.log;
    error_log {LOGS_PATH}/{SITE_NAME}.error.log;
}
{SSL_SERVER_BLOCK}