server {
    listen 80;
    server_name _;

    # ── Rate limiting zones (definite in nginx.conf) ──────────────────────────
    # In produzione si usa lo stesso nginx.conf che definisce le zone

    # ── Sicurezza headers ─────────────────────────────────────────────────────
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # ── Resolver Docker interno ───────────────────────────────────────────────
    resolver 127.0.0.11 valid=30s ipv6=off;

    # ── API Backend ───────────────────────────────────────────────────────────
    location /api/ {
        limit_req zone=api burst=20 nodelay;

        set $backend_upstream http://backend:8000;
        proxy_pass         $backend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   Connection        "";

        proxy_connect_timeout 30s;
        proxy_send_timeout    120s;
        proxy_read_timeout    120s;

        # Upload allegati fino a 50MB
        client_max_body_size 50m;
    }

    # ── Auth endpoint con rate limiting piu' stretto ──────────────────────────
    location /api/v1/auth/login {
        limit_req zone=auth burst=5 nodelay;

        set $backend_upstream http://backend:8000;
        proxy_pass         $backend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }

    # ── Health check (accesso solo interno) ───────────────────────────────────
    location /health {
        # In produzione, limitare a rete interna o monitoraggio
        # allow 10.0.0.0/8;
        # allow 172.16.0.0/12;
        # deny all;
        set $backend_upstream http://backend:8000;
        proxy_pass $backend_upstream;
        access_log off;
    }

    # ── PRODUZIONE: Swagger UI disabilitato ───────────────────────────────────
    location /docs {
        return 404;
    }
    location /redoc {
        return 404;
    }
    location /openapi.json {
        return 404;
    }

    # ── WebSocket ─────────────────────────────────────────────────────────────
    location /ws/ {
        set $backend_upstream http://backend:8000;
        proxy_pass         $backend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header   Host       $host;
        proxy_read_timeout 3600s;
    }

    # ── Frontend React (build statica) ────────────────────────────────────────
    # In produzione il frontend e' servito come file statici da un secondo
    # container nginx o dallo stesso container con volume condiviso.
    # Qui usiamo il container frontend che si occupa di servire i file.
    location / {
        set $frontend_upstream http://frontend:3000;
        proxy_pass         $frontend_upstream;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

        # Cache aggressiva per asset statici (Vite aggiunge hash al filename)
        proxy_cache_bypass $http_upgrade;
    }
}