#
# Nginx reverse proxy configuration for BTPay
#
# Copy to /etc/nginx/sites-available/btpay
# ln -s /etc/nginx/sites-available/btpay /etc/nginx/sites-enabled/
#

server {
    listen 80;
    server_name btpay.example.com;

    # Redirect to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name btpay.example.com;

    # TLS — update paths to your certificates
    ssl_certificate     /etc/letsencrypt/live/btpay.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/btpay.example.com/privkey.pem;

    # TLS settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Security headers (in addition to Flask's own headers)
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;
    add_header Referrer-Policy no-referrer always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    # Rate limiting zones — add these to the http {} block in /etc/nginx/nginx.conf:
    #   limit_req_zone $binary_remote_addr zone=btpay_login:10m rate=5r/m;
    #   limit_req_zone $binary_remote_addr zone=btpay_api:10m rate=100r/m;

    # Static files — served directly by nginx
    location /static/ {
        alias /opt/btpay/static/;
        expires 30d;
        add_header Cache-Control "public, immutable";
    }

    # Favicon
    location /favicon.ico {
        alias /opt/btpay/static/images/favicon.ico;
        expires 30d;
    }

    # Login rate limiting
    location /auth/login {
        limit_req zone=btpay_login burst=10 nodelay;
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # API rate limiting
    location /api/ {
        limit_req zone=btpay_api burst=20 nodelay;
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # All other routes
    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Timeouts
        proxy_connect_timeout 30;
        proxy_read_timeout 120;
        proxy_send_timeout 120;

        # Body size limit
        client_max_body_size 10m;
    }
}