user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
    use epoll;
    multi_accept on;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # 보안 헤더
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    # 서버 정보 숨기기
    server_tokens off;
    
    # 로그 포맷 (Fail2Ban용)
    log_format security '$remote_addr - $remote_user [$time_local] '
                       '"$request" $status $body_bytes_sent '
                       '"$http_referer" "$http_user_agent" '
                       '$request_time $upstream_response_time';

    access_log /var/log/nginx/access.log security;

    # 기본 설정
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 100M;

    # Gzip 압축
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    # Rate Limiting (DDoS 방어)
    limit_req_zone $binary_remote_addr zone=jellyfin:10m rate=10r/s;
    limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m;
    
    # 연결 제한
    limit_conn_zone $binary_remote_addr zone=perip:10m;
    limit_conn_zone $server_name zone=perserver:10m;

    # 젤리핀 앱 프록시 설정 (호스트의 8096 포트로 연결)
    upstream jellyfin_app {
        server host.docker.internal:8096;  # macOS Docker에서 호스트 접근
        keepalive 32;
    }

    server {
        listen 80;
        server_name jellyfin.hyungi.net;

        # 보안 제한
        limit_req zone=jellyfin burst=20 nodelay;
        limit_conn perip 10;
        limit_conn perserver 100;

        # 로그인 페이지 특별 제한
        location ~ ^/(Users/authenticatebyname|Users/AuthenticateByName) {
            limit_req zone=auth burst=3 nodelay;
            proxy_pass http://jellyfin_app;
            include /etc/nginx/conf.d/security.conf;
        }

        # 관리자 페이지 접근 제한 (선택사항)
        location /web/index.html#!/dashboard {
            # 특정 IP만 허용 (필요시 주석 해제)
            # allow 192.168.219.0/24;  # 내부 네트워크
            # allow YOUR_TRUSTED_IP;    # 신뢰할 수 있는 외부 IP
            # deny all;
            
            proxy_pass http://jellyfin_app;
            include /etc/nginx/conf.d/security.conf;
        }

        # 메인 프록시 설정
        location / {
            proxy_pass http://jellyfin_app;
            include /etc/nginx/conf.d/security.conf;
        }

        # 웹소켓 지원 (실시간 업데이트용)
        location /socket {
            proxy_pass http://jellyfin_app;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # 보안: 숨겨야 할 경로들
        location ~ /\.ht {
            deny all;
        }
        
        location ~ /\. {
            deny all;
        }
    }
}