# =============================================================================
#  nginx vhost-location override for nibiru-framework.com (apex)
#
#  Picked up by jwilder/nginx-proxy when this file lives in the proxy's
#  /etc/nginx/vhost.d/ at <host>_location. The contents are inlined inside
#  the generated `location / { … }` block.
#
#  IMPORTANT: do NOT add nested `location { … }` blocks here. nginx allows
#  the syntax, but a nested location with no `proxy_pass` falls through to
#  filesystem root and 404s the asset. Earlier versions of this file did
#  exactly that for /_astro/ + images + /sw.js, which is why CSS/JS/images
#  weren't loading on the live site. Cache-Control for hashed bundles is
#  already set by Astro itself; the proxy doesn't need to second-guess it.
# =============================================================================

# Trust the X-Forwarded-* headers nginx-proxy already sets, so the upstream
# Astro server sees the real client IP and scheme. (nginx-proxy sets these
# in its default config too — restating here is belt-and-braces.)
proxy_set_header X-Real-IP        $remote_addr;
proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;

# Allow streaming responses (Oracle answer streaming, Pagefind dialogs).
proxy_buffering          off;
proxy_request_buffering  off;
proxy_http_version       1.1;
proxy_read_timeout       300s;
proxy_send_timeout       300s;

# WebSocket / SSE upgrade — harmless if the upstream never uses them.
proxy_set_header Upgrade    $http_upgrade;
proxy_set_header Connection "upgrade";

# Body size — generous; tighten if abuse becomes a concern.
client_max_body_size 25m;

# Compression — Astro emits text-heavy assets that gzip well.
gzip                on;
gzip_vary           on;
gzip_min_length     512;
gzip_proxied        any;
gzip_comp_level     6;
gzip_types
    text/plain
    text/css
    text/xml
    application/xml
    application/json
    application/javascript
    application/manifest+json
    image/svg+xml
    font/ttf
    font/otf
    application/font-woff
    application/font-woff2;

# Security headers — same set sent on every request.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options    "nosniff"             always;
add_header X-Frame-Options           "SAMEORIGIN"          always;
add_header Referrer-Policy           "strict-origin-when-cross-origin" always;
add_header Permissions-Policy        "camera=(), microphone=(), geolocation=()" always;