# ==============================================================================
# HTTP → HTTPS redirect for all GoodGo domains
# Cloudflare also enforces this, but this catches direct-IP access.
# ==============================================================================

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name platform.goodgo.vn api.goodgo.vn grafana.goodgo.vn;

    # Redirect all HTTP to HTTPS
    return 301 https://$host$request_uri;
}

# Catch-all for direct IP access — return 444 (drop connection)
server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;

    ssl_certificate     /etc/ssl/goodgo/origin.pem;
    ssl_certificate_key /etc/ssl/goodgo/origin-key.pem;

    # Drop connections that don't match any server_name
    return 444;
}