# Drip Tunnel Server - Nginx Configuration
#
# Architecture:
#   External User -> Nginx (443) -> Drip Server (8443) -> Client
#
# Prerequisites:
#   1. Obtain a wildcard SSL certificate:
#      certbot certonly --manual --preferred-challenges dns \
#        -d "*.tunnel.example.com" -d "tunnel.example.com"
#
#   2. DNS Records:
#      A     tunnel.example.com      -> YOUR_SERVER_IP
#      A     *.tunnel.example.com    -> YOUR_SERVER_IP
#
#   3. Start the Drip Server:
#      ./bin/drip-server --port 8443 --domain tunnel.example.com \
#        --tls-cert /etc/letsencrypt/live/tunnel.example.com/fullchain.pem \
#        --tls-key /etc/letsencrypt/live/tunnel.example.com/privkey.pem


# Redirect all HTTP traffic to HTTPS
server {
    listen 80;
    server_name tunnel.example.com *.tunnel.example.com;
    return 301 https://$host$request_uri;
}

# HTTPS reverse proxy → Drip Server
server {
    listen 443 ssl http2;
    server_name tunnel.example.com *.tunnel.example.com;

    # SSL certificate
    ssl_certificate /etc/letsencrypt/live/tunnel.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tunnel.example.com/privkey.pem;
    # Proxy to Drip Server
    location / {
        proxy_pass https://127.0.0.1:8443;
        proxy_ssl_protocols TLSv1.3;
        proxy_ssl_verify off;
        proxy_http_version 1.1;

        # Forward request headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeout settings
        proxy_connect_timeout 60s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;

        # Disable buffering
        proxy_buffering off;
        proxy_request_buffering off;

        # Large file upload support
    }
}