# Nginx Configuration Example for GNX Web Application
# This configuration shows how to set up nginx as a reverse proxy
# to secure the Django API backend

# API Key Configuration:
# - In DEBUG mode, Django will auto-generate a secure API key if not set
# - To get the current API key, run: python manage.py show_api_key
# - Add the key to your Django .env file as INTERNAL_API_KEY
# - Use the same key in this nginx config (see line 69)
# - In production, you MUST set INTERNAL_API_KEY explicitly in .env

upstream django_backend {
    # Django backend running on internal network only
    server 127.0.0.1:8000;
    keepalive 32;
}

upstream nextjs_frontend {
    # Next.js frontend
    server 127.0.0.1:3000;
    keepalive 32;
}

# Rate limiting zones
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=general_limit:10m rate=30r/s;

server {
    listen 80;
    server_name gnxsoft.com www.gnxsoft.com;
    
    # Redirect HTTP to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name gnxsoft.com www.gnxsoft.com;

    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/gnxsoft.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/gnxsoft.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;

    # Logging
    access_log /var/log/nginx/gnxsoft_access.log;
    error_log /var/log/nginx/gnxsoft_error.log;

    # Client body size limit
    client_max_body_size 10M;

    # API Endpoints - Proxy to Django backend
    # These requests will have the X-Internal-API-Key header added
    location /api/ {
        # Rate limiting
        limit_req zone=api_limit burst=20 nodelay;
        
        # Add custom header to prove request came through nginx
        # This value must match INTERNAL_API_KEY in Django settings
        # Get the current key with: python manage.py show_api_key
        # In development, Django auto-generates this key if not set
        set $api_key "YOUR_SECURE_API_KEY_HERE";
        proxy_set_header X-Internal-API-Key $api_key;
        
        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        
        # Preserve original request headers
        proxy_set_header Origin $http_origin;
        proxy_set_header Referer $http_referer;
        
        # Proxy settings
        proxy_pass http://django_backend;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        
        # Buffering
        proxy_buffering on;
        proxy_buffer_size 4k;
        proxy_buffers 8 4k;
        proxy_busy_buffers_size 8k;
    }

    # Media files - Serve from Django
    location /media/ {
        alias /path/to/gnx/backEnd/media/;
        expires 30d;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # Static files - Serve from Django
    location /static/ {
        alias /path/to/gnx/backEnd/staticfiles/;
        expires 30d;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # Admin panel - Only allow from specific IPs (optional)
    location /admin/ {
        # Uncomment to restrict admin access
        # allow 192.168.1.0/24;
        # allow 10.0.0.0/8;
        # deny all;
        
        # Same proxy settings as /api/
        # Use the same API key as /api/ location above
        set $api_key "YOUR_SECURE_API_KEY_HERE";
        proxy_set_header X-Internal-API-Key $api_key;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        proxy_pass http://django_backend;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }

    # Frontend - Proxy to Next.js
    location / {
        # Rate limiting
        limit_req zone=general_limit burst=50 nodelay;
        
        # Proxy to Next.js frontend
        proxy_pass http://nextjs_frontend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # Health check endpoint (optional)
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }
}

# Block direct access to backend port 8000 from external IPs
# This should be done at the firewall level:
# ufw deny 8000
# iptables -A INPUT -p tcp --dport 8000 ! -s 127.0.0.1 -j DROP