server {
    # Redirect HTTP to HTTPS
    listen 80;
    server_name YourDomain www.YourDomain;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;      # Listen on TCP port 443, supporting HTTP/2 and SSL
    listen 443 quic reuseport; # Listen on UDP port 443 for QUIC and HTTP/3
    # 'reuseport' allows multiple worker processes to share the same port, recommended for QUIC

    # Ensure that the SSL protocol includes at least TLSv1.3, as HTTP/3 requires TLSv1.3
    ssl_protocols TLSv1.3 TLSv1.2; # Make sure TLSv1.3 is at the front

    # Add HTTP/3 specific headers to inform the browser that HTTP/3 is available
    # Alt-Svc (Alternative Service) header
    # h3=":443" indicates that HTTP/3 is available on the current domain and port 443
    # ma=86400 means this information is cached for 24 hours (86400 seconds)
    add_header Alt-Svc 'h3=":443"; ma=86400';

    # (Optional, but recommended) Enable 0-RTT data to further reduce latency
    # Requires support from both client and server
    ssl_early_data on;

    server_name YourDomain www.YourDomain;
    
    # SSL Configuration (using placeholder certs for Certbot)
    # Certbot will find this block and replace these with the real certificates.
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    
    # SSL Optimization
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Modern Configuration
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (Enable with caution)
    # add_header Strict-Transport-Security "max-age=63072000" always;
    
    # Define the root path of the frontend build artifacts inside the container
    # !!! Important: Please modify this path to the actual path of your frontend project build inside the Nginx container !!!
    set $frontend_build_root path/to/your/frontend_build_root;

    # 1. Prioritize handling of Next.js core static resources (_next/static)
    location /_next/static/ {
        alias $frontend_build_root/.next/static/;
        expires 365d;             # Long-term cache
        access_log off;           # Disable access log for this path
        add_header Cache-Control "public"; # Explicitly inform the browser that it can be cached publicly
    }

    # WebSocket signaling server configuration
    location /socket.io/ {
        proxy_pass http://localhost:3001/socket.io/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # CORS Configuration
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;

        # WebSocket related optimizations
        proxy_read_timeout 86400;     # 24h
        proxy_send_timeout 86400;     # 24h
        proxy_connect_timeout 7d;
        proxy_buffering off;
    }
    # Backend API address -- forward
    location /api/ {
        proxy_pass http://localhost:3001/api/; # Backend API address -- forward
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Modify CORS configuration, only set one Origin
        add_header Access-Control-Allow-Origin "https://www.privydrop.app" always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
        add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
        add_header Access-Control-Allow-Credentials "true" always;
        
    }
    # Next.js Image Optimization Service (usually handled by the Next.js application)
    location /_next/image {
        proxy_pass http://localhost:3000; # Point to the Next.js application
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
    # 2. Handle static files under the public directory and Next.js dynamic requests
    #    This location should be after specific proxies (like /api/, /socket.io/),
    #    but it can be before or after /_next/static/ because they match different paths.
    #    For clarity, we put it here.
    location / {
        # root points to the parent directory of the public directory, which is the root directory of the frontend build artifacts
        root $frontend_build_root/public;

        # Try to find files in order:
        # 1. $uri: as a file in the public directory (e.g., /image.png -> $frontend_build_root/public/image.png)
        # 2. @nextjs: If none of the above are found, pass the request to the Next.js application for processing
        try_files $uri @nextjs_app;
    }
    # Named location, used to proxy requests to the Next.js application
    location @nextjs_app {
        proxy_pass http://localhost:3000; # Point to the Next.js application
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}