# ─────────────────────────────────────────────────────────────
# Nginx config for project-bifrost.fenja.ai
#
# Install to: /etc/nginx/sites-available/project-bifrost
# Symlink:    sudo ln -sf /etc/nginx/sites-available/project-bifrost \
#                         /etc/nginx/sites-enabled/project-bifrost
# Test:       sudo nginx -t
# Reload:     sudo systemctl reload nginx
#
# Assumes certbot has already created /etc/letsencrypt/live/project-bifrost.fenja.ai/
# ─────────────────────────────────────────────────────────────

# Rate-limiting zones — put these in the http {} block of /etc/nginx/nginx.conf
# (or in an /etc/nginx/conf.d/*.conf file). They MUST live at http{} scope,
# not in server{}, so they're shared across workers.
#
#   limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=10r/m;
#
# If you've already added it, skip it. If not, either paste that one line
# into /etc/nginx/nginx.conf inside http{}, or drop a file at
# /etc/nginx/conf.d/rate-limits.conf containing just that line.

server {
    listen 80;
    listen [::]:80;
    server_name project-bifrost.fenja.ai;

    # Let certbot's renewals reach .well-known/acme-challenge on port 80
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    # Everything else goes to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name project-bifrost.fenja.ai;

    ssl_certificate     /etc/letsencrypt/live/project-bifrost.fenja.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/project-bifrost.fenja.ai/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # ─── Security headers ───
    # HSTS — after you're confident the cert-and-redirect loop is solid.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Limit body size — we only accept small JSON posts
    client_max_body_size 32k;

    # Don't leak Nginx version
    server_tokens off;

    # ─── Extra protection for auth endpoints ───
    # Bursts of 10 with a strict 10r/m base rate. Prevents someone from
    # script-hammering the verify endpoint.
    location /auth/ {
        limit_req zone=auth_limit burst=10 nodelay;

        proxy_pass         http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout 20s;
    }

    # ─── Everything else → Node ───
    location / {
        proxy_pass         http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout 30s;
    }
}