# =============================================================================
#  nginx vhost-location override for www.nibiru-framework.com
#
#  Same hardening + caching rules as the apex (nibiru-framework.com_location).
#  Kept as a separate file so the proxy applies them per-vhost — the www and
#  apex containers each get their own server block in the generated config.
#
#  If you ever decide to redirect www → apex (SEO canonical-URL pattern)
#  instead of serving from a second container, replace this file's contents
#  with a single `return 301 https://nibiru-framework.com$request_uri;` and
#  drop the docs-www service from docker-compose.yml.
# =============================================================================

# Trust the X-Forwarded-* headers nginx-proxy already sets.
proxy_set_header X-Real-IP        $remote_addr;
proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;

# Allow streaming responses (Oracle answer streaming, Pagefind dialogs).
proxy_buffering          off;
proxy_request_buffering  off;
proxy_http_version       1.1;
proxy_read_timeout       300s;
proxy_send_timeout       300s;

# WebSocket / SSE upgrade — harmless if the upstream never uses them.
proxy_set_header Upgrade    $http_upgrade;
proxy_set_header Connection "upgrade";

# Body size — generous; tighten if abuse becomes a concern.
client_max_body_size 25m;

# Compression.
gzip                on;
gzip_vary           on;
gzip_min_length     512;
gzip_proxied        any;
gzip_comp_level     6;
gzip_types
    text/plain
    text/css
    text/xml
    application/xml
    application/json
    application/javascript
    application/manifest+json
    image/svg+xml
    font/ttf
    font/otf
    application/font-woff
    application/font-woff2;

# Security headers.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options    "nosniff"             always;
add_header X-Frame-Options           "SAMEORIGIN"          always;
add_header Referrer-Policy           "strict-origin-when-cross-origin" always;
add_header Permissions-Policy        "camera=(), microphone=(), geolocation=()" always;

# Hashed Astro/Starlight assets — 1 year, immutable.
location ~* ^/_astro/ {
    expires 1y;
    add_header Cache-Control "public, immutable, max-age=31536000";
}

# Static images / fonts — 30 days.
location ~* \.(png|jpg|jpeg|gif|webp|avif|ico|svg|woff|woff2|ttf|otf)$ {
    expires 30d;
    add_header Cache-Control "public, max-age=2592000";
}

# Service worker — never cache.
location = /sw.js {
    expires off;
    add_header Cache-Control "no-store, no-cache, must-revalidate";
}

# llms.txt — short cache for AI crawlers.
location = /llms.txt {
    expires 1d;
    add_header Cache-Control "public, max-age=86400";
}