worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Rate limiting zones — define per-service zones as needed
    limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;

    # Proxy cache: 200MB, evict after 24h of no access
    proxy_cache_path /tmp/cache levels=1:2 keys_zone=services:10m
                     max_size=200m inactive=24h;

    # --- docs.eblu.me (static site) ---
    server {
        listen 8080;
        server_name docs.eblu.me;

        limit_req zone=general burst=20 nodelay;

        location / {
            proxy_pass https://docs.tail8d86e.ts.net;
            proxy_ssl_verify off;
            proxy_ssl_server_name on;

            # Cache aggressively — static site only.
            # Do NOT use these settings for dynamic services.
            proxy_cache services;
            proxy_cache_valid 200 1d;
            proxy_cache_valid 404 1m;
            proxy_cache_use_stale error timeout updating;
            proxy_cache_lock on;

            # Prevent cache-busting: ignore query strings and
            # client cache-control headers.
            # Safe for static sites; breaks dynamic services.
            proxy_cache_key $host$uri;
            proxy_ignore_headers Cache-Control Set-Cookie;

            add_header X-Cache-Status $upstream_cache_status;
        }

    }

    # Catch-all: reject unknown hosts, but serve health check
    server {
        listen 8080 default_server;

        location /healthz {
            return 200 "ok\n";
        }

        location / {
            return 444;
        }
    }
}