server {
    listen 80;
    server_name localhost;

    # Health check endpoint (direct response)
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }

    # API endpoints with rate limiting
    location /api/ {
        # Apply rate limiting
        limit_req zone=api burst=20 nodelay;
        
        # Development mode: only user email header required
        proxy_set_header X-User-Email "test@example.com";
        
        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Proxy to API service
        proxy_pass http://api-service:8080;
        proxy_read_timeout 60s;
        proxy_connect_timeout 10s;
        proxy_send_timeout 60s;
        
        # Handle proxy errors
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    }
    
    # Login endpoints with stricter rate limiting
    location ~ ^/api/(login|verify|renew) {
        # Apply stricter rate limiting for auth endpoints
        limit_req zone=login burst=5 nodelay;
        
        # Development mode: only user email header required
        proxy_set_header X-User-Email "test@example.com";
        
        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Proxy to API service
        proxy_pass http://api-service:8080;
        proxy_read_timeout 60s;
        proxy_connect_timeout 10s;
        proxy_send_timeout 60s;
        
        # Handle proxy errors
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    }

    # Test endpoints (development only)
    location /test/ {
        proxy_pass http://api-service:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Metrics endpoint (for monitoring)
    location /metrics {
        # Only allow internal access
        allow 127.0.0.1;
        allow 10.0.0.0/8;
        allow 172.16.0.0/12;
        allow 192.168.0.0/16;
        deny all;
        
        proxy_pass http://api-service:9090/metrics;
    }

    # Default location - serve React frontend
    location / {
        proxy_pass http://frontend:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Handle React Router (client-side routing)
        proxy_intercept_errors on;
        error_page 404 = @fallback;
    }
    
    # Fallback for React Router
    location @fallback {
        proxy_pass http://frontend:80;
        proxy_set_header Host $host;
    }

    # Custom error pages
    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    
    location = /404.html {
        internal;
        return 404 '{"error": "Not Found", "message": "The requested resource was not found"}';
        add_header Content-Type application/json;
    }
    
    location = /50x.html {
        internal;
        return 500 '{"error": "Internal Server Error", "message": "An internal error occurred"}';
        add_header Content-Type application/json;
    }

    # Static assets - proxy to frontend with caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        proxy_pass http://frontend:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    # Block access to sensitive files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
    
    location ~ \.(env|config|ini)$ {
        deny all;
        access_log off;
        log_not_found off;
    }
}

# Test configuration for different user scenarios
server {
    listen 8081;
    server_name localhost;

    # Health check endpoint (direct response)
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }

    # Test endpoints (development only)
    location /test/ {
        proxy_pass http://api-service:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Admin user for testing
    location /api/ {
        limit_req zone=api burst=50 nodelay;
        
        # Development mode: admin test user
        proxy_set_header X-User-Email "admin@example.com";
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        proxy_pass http://api-service:8080;
    }
}

server {
    listen 8082;
    server_name localhost;

    # Limited user for testing
    location /api/ {
        limit_req zone=api burst=10 nodelay;
        
        # Development mode: limited test user
        proxy_set_header X-User-Email "limited@example.com";
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        proxy_pass http://api-service:8080;
    }
}