# ============================================
# MakLinkApp – docker/nginx.conf
# Production Nginx config for TFSBD Platform
# ============================================

user  nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections 1024;
    use epoll;
    multi_accept on;
}

http {
    include      /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Logging
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /var/log/nginx/access.log main;

    # Performance
    sendfile         on;
    tcp_nopush       on;
    tcp_nodelay      on;
    keepalive_timeout 65;
    gzip             on;
    gzip_vary        on;
    gzip_types       text/plain text/css application/json application/javascript text/xml application/xml;
    gzip_min_length  1024;

    # Security headers
    add_header X-Frame-Options         "SAMEORIGIN"  always;
    add_header X-Content-Type-Options  "nosniff"     always;
    add_header X-XSS-Protection        "1; mode=block" always;
    add_header Referrer-Policy         "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy      "geolocation=(),microphone=()" always;
    server_tokens off;

    # Rate limiting
    limit_req_zone $binary_remote_addr zone=api:10m  rate=30r/m;
    limit_req_zone $binary_remote_addr zone=auth:10m rate=10r/m;

    # ---- HTTPS redirect ----
    server {
        listen 80;
        server_name maklinkapp.tfsbd.com;
        return 301 https://$host$request_uri;
    }

    # ---- Main HTTPS server ----
    server {
        listen 443 ssl http2;
        server_name maklinkapp.tfsbd.com;
        root /usr/share/nginx/html;
        index index.html;

        # SSL
        ssl_certificate     /etc/ssl/maklinkapp/fullchain.pem;
        ssl_certificate_key /etc/ssl/maklinkapp/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        # ---- Frontend static files ----
        location / {
            try_files $uri $uri/ /index.html;
            expires 1h;
            add_header Cache-Control "public, must-revalidate";
        }

        # Cache static assets aggressively
        location ~* \.(css|js|png|jpg|jpeg|gif|ico|woff2|svg)$ {
            expires 30d;
            add_header Cache-Control "public, immutable";
        }

        # ---- PHP backend API ----
        location /api/ {
            limit_req zone=api burst=20 nodelay;

            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME /var/www/backend$fastcgi_script_name;
            include        fastcgi_params;

            add_header Access-Control-Allow-Origin  "https://maklinkapp.tfsbd.com" always;
            add_header Access-Control-Allow-Methods "GET, POST, PATCH, DELETE, OPTIONS" always;
            add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;

            if ($request_method = OPTIONS) { return 204; }
        }

        # Rate-limit auth endpoints harder
        location ~ ^/api/(login|register) {
            limit_req zone=auth burst=5 nodelay;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_param  SCRIPT_FILENAME /var/www/backend$fastcgi_script_name;
            include        fastcgi_params;
        }

        # ---- Python Flask API ----
        location /api/v2/ {
            limit_req zone=api burst=20 nodelay;
            proxy_pass         http://127.0.0.1:5000/;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_read_timeout 30s;
        }

        # ---- Modular apps ----
        location /apps/trade-lc/     { alias /usr/share/nginx/html/apps/trade-lc/;     try_files $uri $uri/ /apps/trade-lc/index.html; }
        location /apps/web-messenger/{ alias /usr/share/nginx/html/apps/web-messenger/;try_files $uri $uri/ /apps/web-messenger/index.html; }
        location /apps/cell-finder/  { alias /usr/share/nginx/html/apps/cell-finder/;  try_files $uri $uri/ /apps/cell-finder/index.html; }
        location /apps/eco-boat/     { alias /usr/share/nginx/html/apps/eco-boat/;     try_files $uri $uri/ /apps/eco-boat/index.html; }
        location /apps/doc-manager/  { alias /usr/share/nginx/html/apps/doc-manager/;  try_files $uri $uri/ /apps/doc-manager/index.html; }
        location /apps/rb-media/     { alias /usr/share/nginx/html/apps/rb-media/;     try_files $uri $uri/ /apps/rb-media/index.html; }

        # ---- Health check endpoint ----
        location /health {
            access_log off;
            return 200 '{"status":"ok","service":"maklinkapp","platform":"tfsbd"}';
            add_header Content-Type application/json;
        }

        # Block hidden files and sensitive paths
        location ~ /\. { deny all; }
        location ~ /(database|backend/config|\.env) { deny all; return 403; }
    }
}