# Custom nginx configuration for OpenCCB Learning
# Keep the learning frontend on port 3003 and expose LMS API via same-origin /lms-api.

# Security headers (server level)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https:; media-src 'self' blob: https:; object-src 'none'; frame-ancestors 'self';" always;

location /lms-api/ {
    add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
    add_header Pragma "no-cache" always;
    add_header Expires "0" always;

    rewrite ^/lms-api/(.*)$ /$1 break;
    proxy_pass http://openccb-experience:3002;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header Connection "";
    proxy_http_version 1.1;
}

location /cms-api/ {
    # CORS safety net at proxy level for CMS API.
    set $cors_origin "";
    if ($http_origin ~* "^https?://([a-z0-9-]+\\.)?norteamericano\\.(com|cl)$") {
        set $cors_origin $http_origin;
    }
    if ($http_origin ~* "^http://localhost(:[0-9]+)?$") {
        set $cors_origin $http_origin;
    }

    if ($request_method = OPTIONS) {
        add_header Access-Control-Allow-Origin $cors_origin always;
        add_header Vary "Origin, Access-Control-Request-Method, Access-Control-Request-Headers" always;
        add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS,PATCH,HEAD" always;
        add_header Access-Control-Allow-Headers "content-type,authorization,x-requested-with,x-organization-id,range" always;
        add_header Access-Control-Max-Age 86400 always;
        add_header Content-Length 0 always;
        add_header Content-Type "text/plain; charset=utf-8" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Content-Type-Options "nosniff" always;
        return 204;
    }

    add_header Access-Control-Allow-Origin $cors_origin always;
    add_header Vary "Origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
    add_header Pragma "no-cache" always;
    add_header Expires "0" always;

    rewrite ^/cms-api/(.*)$ /$1 break;
    proxy_pass http://openccb-studio:3001;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header Connection "";
    proxy_http_version 1.1;
    proxy_connect_timeout 60s;
    proxy_send_timeout 600s;
    proxy_read_timeout 600s;
    send_timeout 600s;
}