# Monaco USA Portal - Nginx Configuration
# Location: /etc/nginx/sites-available/portal.monacousa.org
#
# Installation:
#   1. Copy to /etc/nginx/sites-available/
#   2. Create symlink: ln -s /etc/nginx/sites-available/portal.monacousa.org /etc/nginx/sites-enabled/
#   3. Test config: nginx -t
#   4. Get SSL cert: certbot --nginx -d portal.monacousa.org -d api.monacousa.org -d studio.monacousa.org
#   5. Reload: systemctl reload nginx

# Rate limiting zone
limit_req_zone $binary_remote_addr zone=portal_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/s;

# Upstream definitions
upstream portal_backend {
    server 127.0.0.1:7453;
    keepalive 32;
}

upstream api_backend {
    server 127.0.0.1:7455;
    keepalive 32;
}

upstream studio_backend {
    server 127.0.0.1:7454;
    keepalive 16;
}

# Main Portal - portal.monacousa.org
server {
    listen 80;
    listen [::]:80;
    server_name portal.monacousa.org;

    # Redirect all HTTP to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }

    # Let's Encrypt challenge
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name portal.monacousa.org;

    # SSL certificates (managed by certbot)
    # ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Temporary self-signed for testing (remove after certbot)
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Logging
    access_log /var/log/nginx/portal.monacousa.org.access.log;
    error_log /var/log/nginx/portal.monacousa.org.error.log;

    # Client body size (for file uploads)
    client_max_body_size 50M;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_proxied any;
    gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml+rss image/svg+xml;

    # Rate limiting
    limit_req zone=portal_limit burst=20 nodelay;

    # Main application
    location / {
        proxy_pass http://portal_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;

        # Buffering
        proxy_buffering on;
        proxy_buffer_size 4k;
        proxy_buffers 8 4k;
    }

    # Static assets with caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        proxy_pass http://portal_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Cache static assets
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}

# Supabase API - api.monacousa.org
server {
    listen 80;
    listen [::]:80;
    server_name api.monacousa.org;

    location / {
        return 301 https://$host$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name api.monacousa.org;

    # SSL certificates (managed by certbot)
    # ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Temporary self-signed for testing
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # Security headers
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;

    # Logging
    access_log /var/log/nginx/api.monacousa.org.access.log;
    error_log /var/log/nginx/api.monacousa.org.error.log;

    # Client body size
    client_max_body_size 50M;

    # Rate limiting (higher for API)
    limit_req zone=api_limit burst=50 nodelay;

    # CORS preflight
    location / {
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, apikey, x-client-info';
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204;
        }

        proxy_pass http://api_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Longer timeout for realtime connections
        proxy_connect_timeout 60s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;
    }
}

# Supabase Studio - studio.monacousa.org (optional, for admin access)
server {
    listen 80;
    listen [::]:80;
    server_name studio.monacousa.org;

    location / {
        return 301 https://$host$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name studio.monacousa.org;

    # SSL certificates (managed by certbot)
    # ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Temporary self-signed for testing
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # Basic auth protection for studio
    auth_basic "Monaco USA Admin";
    auth_basic_user_file /etc/nginx/.htpasswd;

    # Logging
    access_log /var/log/nginx/studio.monacousa.org.access.log;
    error_log /var/log/nginx/studio.monacousa.org.error.log;

    location / {
        proxy_pass http://studio_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}