worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log warn;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    access_log /var/log/nginx/access.log;

    server {
        listen 80;
        root /var/www/html;
        index index.html;

        # Health check endpoint
        location = /health {
            access_log off;
            return 200 "nginx ok\n";
            add_header Content-Type text/plain;
        }

        # Banner entry points
        location = /consent-loader.js {
            add_header Access-Control-Allow-Origin "*" always;
            add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
            add_header Cache-Control "public, max-age=3600" always;
            try_files $uri =404;
        }

        location = /consent-bundle.js {
            add_header Access-Control-Allow-Origin "*" always;
            add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
            add_header Cache-Control "public, max-age=3600" always;
            try_files $uri =404;
        }

        # Proxy API requests to FastAPI backend — strip /api prefix
        location /api/ {
            proxy_pass http://127.0.0.1:8000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /docs {
            proxy_pass http://127.0.0.1:8000;
            proxy_set_header Host $host;
        }

        location /openapi.json {
            proxy_pass http://127.0.0.1:8000;
            proxy_set_header Host $host;
        }

        # SPA fallback
        location / {
            try_files $uri $uri/ /index.html;
        }

        location /assets/ {
            expires 1y;
            add_header Cache-Control "public, immutable";
        }
    }
}