events { worker_connections 1024; }

http {
  gzip on;
  gzip_types text/plain text/css application/json application/javascript;

  upstream api      { server api:3001; }
  upstream frontend { server frontend:3000; }

  # Redirect HTTP → HTTPS
  server {
    listen 80;
    server_name _;
    return 301 https://$host$request_uri;
  }

  # Main app
  server {
    listen 443 ssl http2;
    server_name app.avprosuite.io;
    ssl_certificate     /etc/nginx/certs/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    location /api    { proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
    location /health { proxy_pass http://api; }
    location /ready  { proxy_pass http://api; }
    location /socket.io { proxy_pass http://api; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }
    location / { proxy_pass http://frontend; proxy_set_header Host $host; }
  }

  # API subdomain
  server {
    listen 443 ssl http2;
    server_name api.avprosuite.io;
    ssl_certificate     /etc/nginx/certs/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    location / { proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
    location /socket.io { proxy_pass http://api; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }
  }

  # Wildcard subdomains (white-label portals)
  server {
    listen 443 ssl http2;
    server_name ~^(?<slug>.+)\.avprosuite\.io$;
    ssl_certificate     /etc/nginx/certs/wildcard.fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/wildcard.privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    location / { proxy_pass http://frontend; proxy_set_header Host $host; proxy_set_header X-Company-Slug $slug; }
  }
}