# nginx.conf
worker_processes  auto;
user nginx;

events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    client_max_body_size 50m;

    sendfile        on;
    keepalive_timeout  65;

    # Content Security Policy - organized for better readability
    map $request_uri $csp_policy {
        default "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src * data: blob:; connect-src 'self' http://127.0.0.1:8000 http://localhost:8000 ws: wss: https://api.paylibo.com; font-src 'self' data: https://fonts.gstatic.com";
    }

    server {
        listen 80;
        server_name _;

        # -------------------------
        # React frontend
        # -------------------------
        root /usr/share/nginx/html;
        index index.html;

        location / {
            try_files $uri /index.html;
            # Ensure CSP is present on SPA document responses too
            add_header Content-Security-Policy $csp_policy always;
        }

        # -------------------------
        # Django backend API
        # -------------------------

        # Serve Django static and media volumes mounted into the container
        location /static/ {
            alias /app/collectedstaticfiles/;
        }

        location /media/ {
            alias /app/media/;
        }

        # Same-origin proxy for API -> avoids CORS and allows cookies
        location /api {
            return 301 /api/;
        }
        location /api/ {
            proxy_pass         http://backend:8000;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_http_version 1.1;
            proxy_set_header   Connection "";
            proxy_buffering    off;
            client_max_body_size 50m;

            # Ensure CSP is also present on proxied responses
            add_header Content-Security-Policy $csp_policy always;
        }

        # -------------------------
        # Security headers
        # -------------------------
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        
        # CSP Policy - Centrally defined above for better maintainability
        # To add new domains, update the $csp_policy map above
        # Development: More permissive for external resources
        # Production: Should be more restrictive and use nonces/hashes where possible
        add_header Content-Security-Policy $csp_policy always;
    }
}