proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=discoursio_cache:10m max_size=1g inactive=60m use_temp_path=off;

limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_req_zone $binary_remote_addr zone=req_zone:10m rate=20r/s;

server {
    listen 80;
    server_name {{ $.NOSSL_SERVER_NAME }};
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name {{ $.NOSSL_SERVER_NAME }};

    ssl_certificate {{ $.APP_SSL_PATH }}/server.crt;
    ssl_certificate_key {{ $.APP_SSL_PATH }}/server.key;

    # Secure SSL protocols and ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;

    # Logging
    access_log /var/log/nginx/{{ $.APP }}-access.log;
    error_log /var/log/nginx/{{ $.APP }}-error.log;

    # Performance and security settings
    client_max_body_size 100M;
    client_header_timeout 10s;
    client_body_timeout 10s;
    send_timeout 10s;
    keepalive_timeout 70;
    keepalive_requests 500;
    proxy_read_timeout 3600;

    location ~* ^/(?:graphql)?$ {
        proxy_pass http://{{ $.APP }}-8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Host $http_host;
        proxy_set_header X-Request-Start $msec;

        # Cache settings
        proxy_cache discoursio_cache;
        proxy_cache_revalidate on;
        proxy_cache_min_uses 2;
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        proxy_cache_background_update on;
        proxy_cache_lock on;
    }

    location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot|svg)$ {
        proxy_pass http://{{ $.APP }}-8000;
        proxy_set_header Host $http_host;
        expires 30d;
        add_header Cache-Control "public, no-transform";

        # Gzip settings for static files
        gzip on;
        gzip_min_length 1100;
        gzip_buffers 4 32k;
        gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
        gzip_vary on;
        gzip_comp_level 6;
    }

    include {{ $.DOKKU_ROOT }}/{{ $.APP }}/nginx.conf.d/*.conf;
}

{{ range $upstream_port := $.PROXY_UPSTREAM_PORTS | split " " }}
upstream {{ $.APP }}-{{ $upstream_port }} {
    {{ range $listeners := $.DOKKU_APP_WEB_LISTENERS | split " " }}
        {{ $listener_list := $listeners | split ":" }}
        {{ $listener_ip := index $listener_list 0 }}
        {{ $listener_port := index $listener_list 1 }}
        server {{ $listener_ip }}:{{ $upstream_port }};
    {{ end }}
}
{{ end }}