server { # Redirect HTTP to HTTPS
listen 80;
server_name YourDomain www.YourDomain;
return 301 https://$server_name$request_uri;
}

server {

    # No longer listening on public 443/TCP, change to listening on internal port
    listen 127.0.0.1:4443 ssl;
    http2 on;
    
    ssl_protocols TLSv1.2 TLSv1.3;

    server_name YourDomain www.YourDomain;

    # Redirect bare domain to www
    if ($host = 'YourDomain') {
        return 301 https://www.YourDomain$request_uri;
    }

    # SSL Configuration (using placeholder certs for Certbot)
    # Certbot will find this block and replace these with the real certificates.
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # SSL Optimization
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Modern Configuration
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (Enable with caution)
    # add_header Strict-Transport-Security "max-age=63072000" always;

    # Define the root path of the frontend build artifacts inside the container
    # !!! Important: Please modify this path to the actual path of your frontend project build inside the Nginx container !!!
    set $frontend_build_root path/to/PrivyDrop/frontend;

    # 1. Prioritize handling of Next.js core static resources (_next/static)
    location /_next/static/ {
        alias $frontend_build_root/.next/static/;
        expires 365d;             # Long-term cache
        access_log off;           # Disable access log for this path
        add_header Cache-Control "public"; # Explicitly inform the browser that it can be cached publicly
    }

    # WebSocket signaling server configuration
    location /socket.io/ {
        proxy_pass http://localhost:3001/socket.io/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # CORS Configuration
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;

        # WebSocket related optimizations
        proxy_read_timeout 86400;     # 24h
        proxy_send_timeout 86400;     # 24h
        proxy_connect_timeout 7d;
        proxy_buffering off;
    }
    # Backend API address -- forward
    location /api/ {
        proxy_pass http://localhost:3001/api/; # Backend API address -- forward
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Modify CORS configuration, only set one Origin
        add_header Access-Control-Allow-Origin "https://www.privydrop.app" always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
        add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
        add_header Access-Control-Allow-Credentials "true" always;

    }
    # Next.js Image Optimization Service (usually handled by the Next.js application)
    location /_next/image {
        proxy_pass http://localhost:3002; # Point to the Next.js application
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
    # 2. Handle static files under the public directory and Next.js dynamic requests
    #    This location should be after specific proxies (like /api/, /socket.io/),
    #    but it can be before or after /_next/static/ because they match different paths.
    #    For clarity, we put it here.
    location / {
        # root points to the parent directory of the public directory, which is the root directory of the frontend build artifacts
        root $frontend_build_root/public;

        # Try to find files in order:
        # 1. $uri: as a file in the public directory (e.g., /image.png -> $frontend_build_root/public/image.png)
        # 2. @nextjs: If none of the above are found, pass the request to the Next.js application for processing
        try_files $uri @nextjs_app;
    }
    # Named location, used to proxy requests to the Next.js application
    location @nextjs_app {
        proxy_pass http://localhost:3002; # Point to the Next.js application
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

}

server { # Add a server block for Certbot to install certificates for TURN server
listen 80;
server_name TurnServerName;

    # Only process Let's Encrypt validation requests
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

}