{{ $proxy_settings := "proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Request-Start $msec;" }}

{{ range $port_map := .PROXY_PORT_MAP | split " " }}
{{ $port_map_list := $port_map | split ":" }}
{{ $scheme := index $port_map_list 0 }}
{{ $listen_port := index $port_map_list 1 }}
{{ $upstream_port := index $port_map_list 2 }}

server {
    {{ if eq $scheme "http" }}
        listen [::]:{{ $listen_port }};
        listen {{ $listen_port }};
        server_name {{ $.NOSSL_SERVER_NAME }};

        # Redirect HTTP to HTTPS
        return 301 https://$server_name$request_uri;

    {{ else if eq $scheme "https" }}
        listen [::]:{{ $listen_port }} ssl http2;
        listen {{ $listen_port }} ssl http2;
        server_name {{ $.NOSSL_SERVER_NAME }};

        # SSL конфигурация
        ssl_certificate {{ $.APP_SSL_PATH }}/server.crt;
        ssl_certificate_key {{ $.APP_SSL_PATH }}/server.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        # SSL оптимизация
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;

        # OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 1.1.1.1 1.0.0.1 valid=300s;
        resolver_timeout 5s;

        # Базовые заголовки безопасности
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;

        # Скрыть версию nginx
        server_tokens off;
    {{ end }}

    # Логирование (dokku дефолты)
    access_log /var/log/nginx/{{ $.APP }}-access.log;
    error_log /var/log/nginx/{{ $.APP }}-error.log;

    # Размер загружаемых файлов
    client_max_body_size 100M;

    # Улучшенное сжатие
    gzip on;
    gzip_vary on;
    gzip_min_length 1000;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript application/javascript application/json image/svg+xml;

    location / {
        proxy_pass http://{{ $.APP }}-{{ $upstream_port }};
        {{ $proxy_settings }}
    }

    # Статические файлы с долгим кэшированием
    location ~* \.(css|js|ico|png|jpg|jpeg|gif|svg|webp|woff|woff2|ttf|eot)$ {
        proxy_pass http://{{ $.APP }}-{{ $upstream_port }};
        {{ $proxy_settings }}

        expires 1y;
        add_header Cache-Control "public, immutable";
        add_header Vary "Accept-Encoding";
        access_log off;
    }

    # Включение дополнительных конфигураций dokku
    include {{ $.DOKKU_ROOT }}/{{ $.APP }}/nginx.conf.d/*.conf;
}
{{ end }}

{{ range $upstream_port := $.PROXY_UPSTREAM_PORTS | split " " }}
upstream {{ $.APP }}-{{ $upstream_port }} {
{{ range $listeners := $.DOKKU_APP_WEB_LISTENERS | split " " }}
{{ $listener_list := $listeners | split ":" }}
{{ $listener_ip := index $listener_list 0 }}
{{ $listener_port := index $listener_list 1 }}
    server {{ $listener_ip }}:{{ $upstream_port }};
{{ end }}
}
{{ end }}