# WAF-like rules
map $request_uri $blocked_uris {
    default 0;
    ~*(/\.env|/\.git|/\.aws|/wp-admin) 1;
}

# Rate limiting zone
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

# Cache zones
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=static_assets:10m max_size=100m inactive=24h;
proxy_cache_path /var/cache/nginx_dynamic levels=1:2 keys_zone=dynamic_content:5m max_size=50m inactive=1h;

upstream haproxy_backend {
    server haproxy-dev:9000;
}

# Cloudflare IP ranges
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
real_ip_header CF-Connecting-IP;

server {
    listen 80;
    server_name ${server_name};

    location ^~ /.well-known/acme-challenge/ {
        root /var/www/certbot;
        default_type "text/plain";
        try_files $uri =404;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name ${server_name};

    ssl_certificate /etc/nginx/certs/current.crt;
    ssl_certificate_key /etc/nginx/certs/current.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    if ($blocked_uris) { return 403; }

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header Permissions-Policy "geolocation=(), microphone=()";

    gzip on;
    gzip_comp_level 2;
    gzip_min_length 1000;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    location = /edge-health {
        access_log off;
        return 204;
    }

    location = /git {
        return 301 /git/;
    }

    location ^~ /git/ {
        limit_req zone=one burst=20 nodelay;
        client_max_body_size 512m;

        proxy_pass http://${backend_host}:${gitea_backend_port}/;
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Prefix /git;
        proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;
        proxy_redirect off;
        add_header Cache-Control "no-store";
    }

    location ^~ /demo-apps/ {
        limit_req zone=one burst=20 nodelay;

        proxy_pass http://${backend_host}:${demos_backend_port}/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;

        proxy_cache static_assets;
        proxy_cache_valid 200 301 302 15m;
        proxy_cache_key "$scheme$request_method$host$request_uri";
        add_header X-Nginx-Cache "$upstream_cache_status";
    }

    location ~* \.(css|js)$ {
        proxy_pass http://haproxy_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;

        proxy_cache static_assets;
        proxy_cache_valid 200 301 302 1h;
        proxy_cache_key "$scheme$request_method$host$request_uri";
        add_header X-Nginx-Cache "$upstream_cache_status";
        add_header Cache-Control "public, immutable, max-age=604800";
    }

    location ~* \.(jpg|jpeg|png|gif|ico|webp|svg)$ {
        proxy_pass http://haproxy_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;

        proxy_cache static_assets;
        proxy_cache_valid 200 301 302 1d;
        proxy_cache_key "$scheme$request_method$host$request_uri";
        add_header X-Nginx-Cache "$upstream_cache_status";
        add_header Cache-Control "public, immutable, max-age=2592000";
    }

    location / {
        limit_req zone=one burst=20 nodelay;

        proxy_pass http://haproxy_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;

        proxy_cache dynamic_content;
        proxy_cache_valid 200 301 302 5m;
        proxy_cache_key "$scheme$request_method$host$request_uri";
        add_header X-Nginx-Cache "$upstream_cache_status";
    }
}