# Main nginx configuration
worker_processes auto;
error_log /dev/stderr warn;
pid /tmp/nginx.pid;  # Use writable location for PID

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;
    access_log /dev/stdout;
    client_body_temp_path /tmp/client_temp;
    proxy_temp_path /tmp/proxy_temp;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    scgi_temp_path /tmp/scgi_temp;
    absolute_redirect off;

    map $http_origin $cors_origin {
        default "";
        "~*" $http_origin;
    }

    resolver 127.0.0.11 valid=10s ipv6=off;

    upstream backend {
        server ${API_BASE_URL}:${API_PORT};
    }

    server {
        listen 7070;
        server_name localhost;
        root /usr/share/nginx/html;
        index index.html;

        # Handle client-side routing
        location / {
            root /usr/share/nginx/html;
            index index.html;
            try_files $uri $uri/ /index.html;

            # Security headers
            add_header X-Content-Type-Options nosniff;
            add_header X-Frame-Options "DENY";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
        }

        # Serve config.js from the writable location
        location = /config.js {
            alias /runtime-config/config.js;
            add_header Cache-Control "no-store, no-cache, must-revalidate";
            access_log off;
        }

        location ^~ /api/ {
            # Proxy to Quarkus
            proxy_pass         http://backend;
            proxy_http_version 1.1;
            proxy_set_header   Host              $host;
            proxy_set_header   X-Real-IP         $remote_addr;
            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_set_header   Upgrade           $http_upgrade;
            proxy_set_header   Connection        "upgrade";

            # Relay CORS headers from the backend
            proxy_pass_header  Access-Control-Allow-Origin;
            proxy_pass_header  Access-Control-Allow-Methods;
            proxy_pass_header  Access-Control-Allow-Headers;
            proxy_pass_header  Access-Control-Allow-Credentials;
        }

        # Cache static assets
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
        }

        # Security headers
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
    }
}