server {
    listen 80;
    server_name _;
    resolver 127.0.0.11 valid=10s ipv6=off;

    client_max_body_size 50M;

    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    root /usr/share/nginx/html;
    index index.html;

    # HTML 캐시 비활성화
    location ~* \.html$ {
        expires -1;
        add_header Cache-Control "no-store, no-cache, must-revalidate";
    }

    # 정적 파일 캐시 (JS, CSS, 이미지 등)
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf)$ {
        expires 1h;
        add_header Cache-Control "public, no-transform";
    }

    # SSO Auth API 프록시 (/api/auth/* → sso-auth)
    location /api/auth/ {
        set $upstream http://sso-auth:3000;
        proxy_pass $upstream$request_uri;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # API 프록시 (System 1 API)
    location /api/ {
        set $upstream http://system1-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # 업로드 파일 프록시 (^~ 로 regex location보다 우선 매칭)
    location ^~ /uploads/ {
        set $upstream http://system1-api:3005;
        proxy_pass $upstream$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    # FastAPI Bridge 프록시
    location /fastapi/ {
        set $upstream http://system1-fastapi:8000;
        rewrite ^/fastapi/(.*)$ /$1 break;
        proxy_pass $upstream;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # SSO Auth 프록시 (gateway에서 이관)
    location /auth/ {
        set $upstream http://sso-auth:3000;
        rewrite ^/auth/(.*)$ /api/auth/$1 break;
        proxy_pass $upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # AI Service 프록시 (gateway에서 이관)
    location /ai-api/ {
        set $ai_upstream https://ai.hyungi.net;
        rewrite ^/ai-api/(.*) /api/ai/$1 break;
        proxy_pass $ai_upstream;
        proxy_http_version 1.1;
        proxy_set_header Host ai.hyungi.net;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ssl_server_name on;
        proxy_read_timeout 180s;
        proxy_send_timeout 180s;
    }

    # 레거시 /login, /dashboard → gateway(tkds) 리다이렉트
    location = /login {
        return 302 $scheme://tkds.technicalkorea.net/dashboard$is_args$args;
    }
    location = /dashboard {
        return 301 $scheme://tkds.technicalkorea.net/dashboard;
    }

    # Health check
    location /health {
        access_log off;
        return 200 '{"status":"ok","service":"system1-web"}';
        add_header Content-Type application/json;
    }

    # Static files (new Tailwind UI)
    location /static/ {
        expires 1h;
        add_header Cache-Control "public, no-transform";
    }

    # SPA fallback
    location / {
        try_files $uri $uri/ /index.html;
    }
}