##############################################################
# GMLM Platform — Nginx Load Balancer Configuration
# Used in Tier 4 (horizontal scaling) deployments.
# Routes traffic across multiple app server replicas.
##############################################################

worker_processes auto;
error_log /var/log/nginx/error.log warn;

events {
    worker_connections 2048;
    use epoll;
    multi_accept on;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # ── Upstream app server pool ──────────────────────────────
    # Docker Swarm DNS resolves 'app' to all replicas.
    # 'least_conn' routes each request to the least busy server.
    upstream gmlm_app {
        least_conn;
        server app:80;           # Docker service discovery handles multiple IPs
        keepalive 32;            # Maintain 32 persistent connections per worker
        keepalive_requests 1000;
        keepalive_timeout 60s;
    }

    # ── Rate limiting ─────────────────────────────────────────
    limit_req_zone  $binary_remote_addr zone=api:20m   rate=60r/m;
    limit_req_zone  $binary_remote_addr zone=login:10m rate=10r/m;

    # ── Gzip compression at LB level ──────────────────────────
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_types text/plain text/css application/json application/javascript;

    # ── HTTP → HTTPS ──────────────────────────────────────────
    server {
        listen 80;
        server_name _;
        return 301 https://$host$request_uri;
    }

    # ── HTTPS Load Balancer ────────────────────────────────────
    server {
        listen 443 ssl http2;
        server_name _;

        ssl_certificate     /etc/nginx/certs/fullchain.pem;
        ssl_certificate_key /etc/nginx/certs/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_session_cache   shared:SSL:50m;
        ssl_session_timeout 1d;

        # ── Security headers ──────────────────────────────────
        add_header X-Frame-Options       "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff"   always;
        add_header Referrer-Policy       "strict-origin-when-cross-origin" always;

        # ── Static assets (served directly, not proxied) ──────
        # On multi-server: these should come from a CDN.
        # Configure CDN_URL in .env and update Vite's base URL.

        # ── API rate limiting ──────────────────────────────────
        location /api/v1/auth/login {
            limit_req zone=login burst=5 nodelay;
            proxy_pass http://gmlm_app;
            include /etc/nginx/proxy_params;
        }

        location /api/ {
            limit_req zone=api burst=30 nodelay;
            proxy_pass http://gmlm_app;
            include /etc/nginx/proxy_params;
        }

        # ── All other traffic ──────────────────────────────────
        location / {
            proxy_pass http://gmlm_app;
            include /etc/nginx/proxy_params;
        }

        # ── Health check (used by load balancer itself) ────────
        location = /api/v1/health {
            proxy_pass         http://gmlm_app;
            proxy_connect_timeout 2s;
            proxy_read_timeout    5s;
            access_log off;
        }
    }
}
