# Default server configuration for HTTP that redirects to HTTPS
server {
    if ($host = www.jaredlog.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = zappy.jaredlog.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 default_server;
    listen [::]:80 default_server;
    server_name www.jaredlog.com zappy.jaredlog.com;
    return 301 https://$server_name$request_uri;
}

server {
    # SSL configuration
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.jaredlog.com zappy.jaredlog.com;
    ssl_certificate /etc/letsencrypt/live/zappy.jaredlog.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/zappy.jaredlog.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    root /var/www/html;
    index index.php index.html index.htm index.nginx-debian.html;

    # Allow larger uploads (e.g., 15MB)
    client_max_body_size 15M;

    location / {
        # First attempt to serve request as file, then as directory, then fall back to 404.
        try_files $uri $uri/ =404;
    }

    location /readitlater/static/ {
        alias /var/www/readitlater/static/;
        expires 7d;
        add_header Cache-Control "public, max-age=604800";
    }

    # Security headers
    #add_header X-Frame-Options "SAMEORIGIN" always;
    #add_header X-Content-Type-Options "nosniff" always;
    #add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # Limit abuse
    #limit_req_zone $binary_remote_addr zone=api:10m rate=5r/s;

    # API (no Basic Auth; lets the Chrome extension call it)
  location ^~ /readitlater/api/ {
    auth_basic off;
    proxy_pass http://127.0.0.1:8013;   # <-- no trailing /
    proxy_http_version 1.1;
    proxy_set_header   Host $host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
  }

  # Health check (exempt from Basic Auth)
  location = /readitlater/healthz {
    auth_basic off;
    proxy_pass http://127.0.0.1:8013;   # <-- no trailing /
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  # UI (protected by Basic Auth)
  location /readitlater/ {
    proxy_pass         http://127.0.0.1:8013;   # <-- no trailing /
    proxy_http_version 1.1;
    proxy_set_header   Host $host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_read_timeout 65;
  }

}