# Map for connection header used by websocket proxying
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream backend {
    # FastCGI backend (php-fpm)
    server api:9000;
    # keepalive can be added if you use HTTP upstreams; for fastcgi it's not needed
}

upstream websockets {
    # reverb service; if you scale reverb containers, Docker DNS will round-robin
    # although for shams's MVP usecase, scaling will not be necessary
    server reverb:6001;
}

server {
    listen 80;
    listen [::]:80;
    server_name localhost;
    root /var/www/html/public;
    index index.php index.html;

    access_log /dev/stdout;
    error_log /dev/stderr warn;

    sendfile on;
    tcp_nopush on;
    client_max_body_size 100M;
    keepalive_timeout 65;

    # Static assets: let nginx serve them directly
    location ~* \.(jpg|jpeg|gif|png|css|js|ico|svg|ttf|woff2?|map|xml)$ {
        access_log off;
        log_not_found off;
        expires 30d;
        add_header Cache-Control "public, immutable, must-revalidate";
        try_files $uri =404;
    }

    # Storage files (Laravel public symlink)
    location /storage/ {
        alias /var/www/html/storage/app/public/;
        try_files $uri $uri/ =404;
    }

    # Websockets endpoint
    # Reverb listens for WebSocket connections at /app and handles API requests at /apps.
    location /app {
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Scheme $scheme;
        proxy_set_header SERVER_PORT $server_port;
        proxy_set_header REMOTE_ADDR $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        # proxy_set_header X-Real-IP $remote_addr;
        # proxy_read_timeout 86400;
        # proxy_send_timeout 86400;
        # proxy_buffers 32 4k;
        # proxy_buffer_size 8k;
        # proxy_cache_bypass $http_upgrade;
        proxy_pass http://websockets;
    }

    # Main application entry
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # PHP-FPM (FastCGI)
    location ~ \.php$ {
        # Security: refuse php files that don't exist
        try_files $uri =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_index index.php;

        # fastcgi_pass can point to an upstream name or to "api:9000"
        fastcgi_pass backend;

        # tuning
        fastcgi_connect_timeout 60s;
        fastcgi_send_timeout 180s;
        fastcgi_read_timeout 180s;
        fastcgi_buffer_size 32k;
        fastcgi_buffers 4 32k;
    }

    # Health/check endpoints or docs
    location = /docs {
        rewrite ^ /index.php?$query_string last;
    }

    # Small useful locations
    location = /favicon.ico {
        access_log off; log_not_found off;
    }
    location = /robots.txt {
        access_log off; log_not_found off;
    }

    # Deny access to hidden files and sensitive stuff
    location ~ /\.(env|git|svn|ht) {
        deny all;
        return 404;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}