# ==============================================================================
# platform.goodgo.vn — Next.js Web Frontend
# Proxied by Cloudflare (Full Strict SSL) → Nginx → Docker (127.0.0.1:3000)
# ==============================================================================

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name platform.goodgo.vn;

    # Cloudflare Origin Certificate
    ssl_certificate     /etc/ssl/goodgo/origin.pem;
    ssl_certificate_key /etc/ssl/goodgo/origin-key.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # Security headers (supplement Cloudflare's)
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Trust Cloudflare's Authenticated Origin Pull
    # ssl_client_certificate /etc/ssl/cloudflare/authenticated_origin_pull_ca.pem;
    # ssl_verify_client on;

    # Next.js application
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;

        # Standard proxy headers
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;

        # WebSocket support (Next.js HMR in dev, real-time features)
        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Next.js specific: disable buffering for streaming/SSR
        proxy_buffering off;
        proxy_cache     off;

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout    60s;
        proxy_read_timeout    60s;
    }

    # Next.js static assets — long cache
    location /_next/static/ {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;

        # Aggressive caching for immutable hashed assets
        proxy_cache_valid 200 365d;
        add_header Cache-Control "public, max-age=31536000, immutable";
    }

    # Favicon and static public files
    location /favicon.ico {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        access_log off;
        log_not_found off;
    }

    # Health check (for Cloudflare/monitoring)
    location /api/health {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        access_log off;
    }

    # Logging
    access_log /var/log/nginx/platform.goodgo.vn.access.log;
    error_log  /var/log/nginx/platform.goodgo.vn.error.log;
}