# Nginx конфигурация для MinIO
# Сохраните как: /etc/nginx/sites-available/minio.glpshchn.ru

# Перенаправление HTTP -> HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name minio.glpshchn.ru;

    # Certbot validation
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # Redirect all HTTP to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

# MinIO API (основной доступ к файлам)
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name minio.glpshchn.ru;

    # SSL сертификаты (Let's Encrypt)
    ssl_certificate /etc/letsencrypt/live/minio.glpshchn.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/minio.glpshchn.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/minio.glpshchn.ru/chain.pem;

    # SSL настройки (современные и безопасные)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;

    # Увеличенные лимиты для загрузки файлов
    client_max_body_size 1000M;
    client_body_timeout 300s;
    client_header_timeout 300s;
    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;
    send_timeout 300s;

    # Игнорировать заголовки для кеширования от upstream
    ignore_invalid_headers off;

    # CORS заголовки (для доступа из браузера)
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, HEAD' always;
    add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Content-Length, Accept-Encoding, X-Requested-With, Range, Content-Disposition, Content-MD5, X-Amz-Content-Sha256, X-Amz-Date, X-Amz-User-Agent' always;
    add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range, ETag' always;
    add_header 'Access-Control-Max-Age' 1728000 always;

    # Обработка preflight запросов
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, HEAD';
        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Content-Length, Accept-Encoding, X-Requested-With, Range, Content-Disposition, Content-MD5, X-Amz-Content-Sha256, X-Amz-Date, X-Amz-User-Agent';
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
    }

    # Логи
    access_log /var/log/nginx/minio-access.log;
    error_log /var/log/nginx/minio-error.log;

    # Проксирование к MinIO API
    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;

        # Для корректной работы S3 API
        proxy_set_header Connection "";
        chunked_transfer_encoding off;

        # Disable buffering для больших файлов
        proxy_buffering off;
        proxy_request_buffering off;

        # Backend MinIO (порт 9000)
        proxy_pass http://127.0.0.1:9000;

        # WebSocket поддержка (если используется)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # Health check endpoint
    location /minio/health/live {
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:9000;
    }
}

# MinIO Console (опционально, для веб-интерфейса)
# Доступ через admin.minio.glpshchn.ru
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name admin.minio.glpshchn.ru;

    # SSL сертификаты
    ssl_certificate /etc/letsencrypt/live/admin.minio.glpshchn.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/admin.minio.glpshchn.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/admin.minio.glpshchn.ru/chain.pem;

    # SSL настройки
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000" always;

    # Увеличенные лимиты
    client_max_body_size 1000M;

    # Логи
    access_log /var/log/nginx/minio-console-access.log;
    error_log /var/log/nginx/minio-console-error.log;

    # Проксирование к MinIO Console
    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Backend MinIO Console (порт 9001)
        proxy_pass http://127.0.0.1:9001;

        # WebSocket для real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}