# Minimal config that realizes the exact CVE-2026-42945 trigger shape.
# master_process on  -> master logs worker exit signals (crash channel)
# daemon off         -> nginx stays in the foreground as PID 1's child
worker_processes  1;
daemon            off;
master_process    on;

# RECOVERY FIX: pin the worker user explicitly so the unprivileged identity is
# deterministic and documented. The master runs as root (PID 1); the worker
# drops to 'nobody'. The ASan log target (/tmp, mode 1777) and the logs dir
# (chowned to nobody, 0777 in the image) are both writable by this worker, so
# the worker's heap-buffer-overflow report is actually captured instead of
# dying on EACCES.
user nobody nogroup;

# Worker exits (incl. memory-fault signals) are logged at 'notice'/'alert'
# by the master to this error log -> server-side crash-signal channel.
error_log  /usr/local/nginx/logs/error.log  notice;
pid        /usr/local/nginx/logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    access_log off;

    server {
        listen       80;
        server_name  localhost;

        # ---- CVE-2026-42945 vulnerable location ----
        # (1) rewrite replacement contains '?'  -> sets e->is_args = 1
        # (2) subsequent 'set' references unnamed capture $1 -> copy pass
        #     percent-encodes captures into a buffer sized for raw bytes.
        location ~ ^/api/(.*)$ {
            rewrite ^/api/(.*)$ /internal?migrated=true;
            set $original_endpoint $1;
            return 200 "ok\n";
        }

        # Benign endpoint for the verifier's liveness baseline probe.
        location = /healthz {
            return 200 "alive\n";
        }

        location / {
            return 200 "root\n";
        }
    }
}