# ==============================================================================
# api.goodgo.vn — NestJS API Backend
# Proxied by Cloudflare (Full Strict SSL) → Nginx → Docker (127.0.0.1:3001)
# ==============================================================================

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name api.goodgo.vn;

    # Cloudflare Origin Certificate
    ssl_certificate     /etc/ssl/goodgo/origin.pem;
    ssl_certificate_key /etc/ssl/goodgo/origin-key.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # Security headers
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Request size limit (file uploads)
    client_max_body_size 50m;

    # API endpoints
    location / {
        # Rate limiting (defined in /etc/nginx/conf.d/performance.conf)
        limit_req zone=api_limit burst=50 nodelay;
        limit_req_status 429;

        proxy_pass http://127.0.0.1:3001;
        proxy_http_version 1.1;

        # Standard proxy headers
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;

        # Disable buffering for streaming responses
        proxy_buffering off;

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout    120s;
        proxy_read_timeout    120s;
    }

    # WebSocket endpoint for notifications/realtime
    location /ws {
        proxy_pass http://127.0.0.1:3001;
        proxy_http_version 1.1;

        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        "upgrade";

        # Longer timeout for persistent connections
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
    }

    # Health check (skip rate limiting + logging)
    location /health {
        proxy_pass http://127.0.0.1:3001;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        access_log off;
    }

    location /ready {
        proxy_pass http://127.0.0.1:3001;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        access_log off;
    }

    # Metrics endpoint (restrict to Cloudflare IPs or internal)
    location /metrics {
        # Allow only from localhost (Prometheus scrapes from the same host)
        allow 127.0.0.1;
        allow ::1;
        deny  all;

        proxy_pass http://127.0.0.1:3001;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        access_log off;
    }

    # Logging
    access_log /var/log/nginx/api.goodgo.vn.access.log;
    error_log  /var/log/nginx/api.goodgo.vn.error.log;
}