user  nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
    use epoll;
    multi_accept on;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # Logging format
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;

    # Performance
    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;
    keepalive_timeout  65;
    gzip            on;
    gzip_types      text/plain text/css application/json application/javascript
                    text/xml application/xml application/xml+rss text/javascript;

    # Security headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    # Hide nginx version
    server_tokens off;

    # IP reale del client: legge X-Forwarded-For impostato da Nginx Proxy Manager
    # Fidati dell'IP interno di NPM e delle subnet Docker
    set_real_ip_from  10.0.30.254;
    set_real_ip_from  172.16.0.0/12;
    set_real_ip_from  10.0.0.0/8;
    set_real_ip_from  127.0.0.1;
    real_ip_header    X-Forwarded-For;
    real_ip_recursive on;

    # Rate limiting zones
    limit_req_zone $binary_remote_addr zone=auth:10m rate=10r/m;
    limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;

    include /etc/nginx/conf.d/*.conf;
}