server {
    listen 80;
    server_name localhost;

    # Redirect HTTP → HTTPS in produzione (commentato per dev)
    # return 301 https://$host$request_uri;

    # Resolver Docker interno – re-risolve i nomi dei container ogni 30s
    resolver 127.0.0.11 valid=30s ipv6=off;

    # ── API Backend ───────────────────────────────────────────────────────────
    location /api/ {
        limit_req zone=api burst=20 nodelay;

        set $backend_upstream http://backend:8000;
        proxy_pass         $backend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   Connection        "";

        # Timeout generosi per operazioni lunghe (es. generazione QR)
        proxy_connect_timeout 30s;
        proxy_send_timeout    60s;
        proxy_read_timeout    60s;

        # Upload allegati fino a 50MB
        client_max_body_size 50m;
    }

    # ── Auth endpoint con rate limiting più stretto ────────────────────────────
    location /api/v1/auth/login {
        limit_req zone=auth burst=5 nodelay;

        set $backend_upstream http://backend:8000;
        proxy_pass         $backend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }

    # ── Health check ──────────────────────────────────────────────────────────
    location /health {
        set $backend_upstream http://backend:8000;
        proxy_pass $backend_upstream;
        access_log off;
    }

    # ── Swagger UI (solo dev) ─────────────────────────────────────────────────
    location /docs {
        set $backend_upstream http://backend:8000;
        proxy_pass $backend_upstream;
    }
    location /redoc {
        set $backend_upstream http://backend:8000;
        proxy_pass $backend_upstream;
    }
    location /openapi.json {
        set $backend_upstream http://backend:8000;
        proxy_pass $backend_upstream;
    }

    # ── WebSocket ─────────────────────────────────────────────────────────────
    location /ws/ {
        set $backend_upstream http://backend:8000;
        proxy_pass         $backend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header   Host       $host;
        proxy_read_timeout 3600s;
    }

    # ── Frontend React (Vite dev server) ─────────────────────────────────────
    location / {
        set $frontend_upstream http://frontend:3000;
        proxy_pass         $frontend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   Upgrade           $http_upgrade;
        proxy_set_header   Connection        "upgrade";
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 86400s;
    }

    # ── Vite HMR WebSocket ────────────────────────────────────────────────────
    location /@vite/ {
        set $frontend_upstream http://frontend:3000;
        proxy_pass         $frontend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
    }
}