# ─────────────────────────────────────────────────────────────────────────────
# beconnect.conf — nginx → Laravel Octane (RoadRunner HTTP, porta 8080)
#
# Com deploy.replicas: 4, o Docker DNS resolve "app" para os 4 containers.
# Octane mantém workers PHP persistentes — sem bootstrap por pedido.
# ─────────────────────────────────────────────────────────────────────────────

# Upstream Octane — Docker DNS resolve para todos os containers "app"
upstream octane_pool {
    least_conn;
    server app:8080 max_fails=3 fail_timeout=10s;
    keepalive 64;
}

server {
    listen 80;
    server_name _;
    root /var/www/public;
    index index.php index.html;

    access_log /var/log/nginx/beconnect_access.log combined buffer=16k flush=5s;
    error_log  /var/log/nginx/beconnect_error.log warn;

    client_max_body_size 32M;

    # ─── Compressão ────────────────────────────────────────────────────────────
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 4;
    gzip_types text/plain text/css application/json application/javascript
               text/xml application/xml application/xml+rss text/javascript
               image/svg+xml;

    # ─── Security headers ──────────────────────────────────────────────────────
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-XSS-Protection "1; mode=block" always;

    # ─── Service Worker — nunca em cache (browser verifica sempre nova versão) ─
    location ~* (sw\.js|workbox-.+\.js)$ {
        expires off;
        add_header Cache-Control "no-store, no-cache, must-revalidate";
        add_header Service-Worker-Allowed "/";
        add_header Access-Control-Allow-Origin "*" always;
        add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept" always;
        try_files $uri =404;
        access_log off;
    }

    # ─── Vite dev server (desenvolvimento) — proxy para host.docker.internal:5174 ─────────────
    # Inclui: /@vite/client, HMR WebSocket, /resources/js/* e /@fs/*
    location /@vite/ {
        proxy_pass http://host.docker.internal:5174;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 3600s;
    }

    # ^~ impede que o regex de assets estáticos intercete paths do Vite dev
    location ^~ /resources/ {
        proxy_pass http://host.docker.internal:5174;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location ^~ /@fs/ {
        proxy_pass http://host.docker.internal:5174;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    # ─── node_modules (Vite dev server) ────────────────────────────────────────
    location ^~ /node_modules/ {
        proxy_pass http://host.docker.internal:5174;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # ─── Assets estáticos (Vite build) — nginx serve directamente ─────────────
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|webp|avif)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        add_header Access-Control-Allow-Origin "*" always;
        add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept" always;
        try_files $uri =404;
        access_log off;
    }

    # ─── Storage público ───────────────────────────────────────────────────────
    location /storage/ {
        alias /var/www/storage/app/public/;
        expires 30d;
        add_header Cache-Control "public";
        try_files $uri =404;
    }

    # ─── Tudo o resto → Laravel Octane (HTTP reverse proxy) ───────────────────
    location / {
        proxy_pass         http://octane_pool;
        proxy_http_version 1.1;
        proxy_set_header   Connection        "";
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Port  $server_port;

        proxy_read_timeout  120s;
        proxy_send_timeout  120s;
        proxy_connect_timeout 30s;

        proxy_buffer_size        128k;
        proxy_buffers            8 256k;
        proxy_busy_buffers_size  256k;
    }

    # ─── Bloquear ficheiros sensíveis ──────────────────────────────────────────
    location ~ /\.(env|git|htaccess|DS_Store) {
        deny all;
        return 404;
    }

    location ~ ^/(vendor|node_modules)/ {
        deny all;
        return 404;
    }
}