worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # Logging
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;
    keepalive_timeout  65;
    types_hash_max_size 2048;

    # Gzip compression
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_min_length 1000;
    gzip_types
        text/plain
        text/css
        application/json
        application/javascript
        application/x-javascript
        text/xml
        application/xml
        application/xml+rss
        text/javascript
        image/svg+xml
        font/woff2;

    # Upstream to Node.js server
    upstream nodejs_backend {
        server web:3000;
        keepalive 64;
    }

    server {
        listen 80;
        server_name 365devnet.eu www.365devnet.eu;

        # Security headers (applied at proxy level)
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), interest-cohort=()" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

        # Client body size limit
        client_max_body_size 10M;

        # Proxy settings for Node.js
        location / {
            proxy_pass http://nodejs_backend;
            proxy_http_version 1.1;
            
            # WebSocket support (for HMR if needed)
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            
            # Standard proxy headers
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;

            # Timeouts
            proxy_connect_timeout 60s;
            proxy_send_timeout 60s;
            proxy_read_timeout 60s;

            # Buffering
            proxy_buffering on;
            proxy_buffer_size 4k;
            proxy_buffers 8 4k;
            proxy_busy_buffers_size 8k;
        }

        # Cache static assets aggressively
        location ~* ^/_astro/.+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            proxy_pass http://nodejs_backend;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            
            # Cache for 1 year (immutable)
            expires 365d;
            add_header Cache-Control "public, immutable";
            access_log off;
        }

        # Block hidden and sensitive files
        location ~ /\.(?!well-known).* {
            deny all;
        }

        # Health check endpoint
        location /health {
            proxy_pass http://nodejs_backend;
            access_log off;
        }
    }

    # SSL configuration (uncomment when you have certificates)
    # server {
    #     listen 443 ssl http2;
    #     server_name 365devnet.eu www.365devnet.eu;
    #
    #     ssl_certificate /etc/nginx/ssl/cert.pem;
    #     ssl_certificate_key /etc/nginx/ssl/key.pem;
    #     ssl_protocols TLSv1.2 TLSv1.3;
    #     ssl_ciphers HIGH:!aNULL:!MD5;
    #     ssl_prefer_server_ciphers on;
    #
    #     # Rest of the configuration same as port 80
    #     # ... (copy from above)
    # }

    # Redirect www to non-www (optional)
    # server {
    #     listen 80;
    #     server_name www.365devnet.eu;
    #     return 301 http://365devnet.eu$request_uri;
    # }
}