# =============================================================================
# Vaultwarden용 Nginx 리버스 프록시 설정
# =============================================================================
# 이 설정 파일은 docker-compose.nginx.yaml 또는 docker-compose.full.yaml과 함께 사용
# =============================================================================

# HTTP -> HTTPS 리다이렉트
server {
    listen 80;
    listen [::]:80;
    server_name _;

    # Let's Encrypt ACME 챌린지
    location /.well-known/acme-challenge/ {
        root /var/www/html;
        allow all;
    }

    # 나머지 요청은 HTTPS로 리다이렉트
    location / {
        return 301 https://$host$request_uri;
    }
}

# HTTPS 서버 (메인)
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;

    # -----------------------------------------
    # SSL/TLS 설정
    # -----------------------------------------
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;

    # 현대적인 TLS 설정
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

    # SSL 세션 설정
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # -----------------------------------------
    # 보안 헤더
    # -----------------------------------------
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # -----------------------------------------
    # 클라이언트 설정
    # -----------------------------------------
    client_max_body_size 55M;

    # -----------------------------------------
    # 프록시 기본 설정
    # -----------------------------------------
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # -----------------------------------------
    # Vaultwarden 메인 프록시
    # -----------------------------------------
    location / {
        proxy_pass http://vaultwarden:80;
        proxy_buffering off;
    }

    # -----------------------------------------
    # WebSocket 프록시 (실시간 동기화)
    # -----------------------------------------
    location /notifications/hub {
        proxy_pass http://vaultwarden:80;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
    }

    # WebSocket 협상 엔드포인트
    location /notifications/hub/negotiate {
        proxy_pass http://vaultwarden:80;
        proxy_buffering off;
    }

    # -----------------------------------------
    # 관리자 패널 (선택사항 - 필요시 주석 해제)
    # -----------------------------------------
    # location /admin {
    #     proxy_pass http://vaultwarden:80;
    #     proxy_buffering off;
    #     # IP 제한 (선택사항)
    #     # allow 192.168.1.0/24;
    #     # deny all;
    # }
}