user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    # =========================================================================
    # PrivX HA Load Balancer Configuration
    # =========================================================================

    # 1. PrivX Core Cluster (API & GUI)
    # Sticky Sessions (ip_hash) are MANDATORY for OAuth flow and user sessions.
    upstream privx_core_cluster {
        ip_hash;
        server 192.168.1.51:443; # Core Node 01
        server 192.168.1.52:443; # Core Node 02
    }

    # 2. PrivX Web Access Cluster (Carrier + Web Proxy)
    # WebSocket support is critical here. Sticky sessions required for browser consistency.
    upstream privx_web_cluster {
        ip_hash;
        server 192.168.1.61:443; # Web Proxy Node 01
        server 192.168.1.62:443; # Web Proxy Node 02
    }

    server {
        listen       443 ssl http2;
        server_name  privx.tuodominio.local;
        
        # SSL Termination (Self-Signed or CA)
        ssl_certificate "/etc/nginx/ssl/privx-lb.crt";
        ssl_certificate_key "/etc/nginx/ssl/privx-lb.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        # --- Location: Core API & GUI ---
        location / {
            proxy_pass https://privx_core_cluster;
            
            # Forward headers required by PrivX
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # Timeout tuning for long running API calls
            proxy_read_timeout 90;
        }

        # --- Location: Web Access (Browser-in-Browser) ---
        # Routes WSS traffic specifically to the Web Proxy nodes
        location /ws {
            proxy_pass https://privx_web_cluster;
            
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Host $host;
            
            # Increase timeouts for long SSH/RDP sessions
            proxy_read_timeout 3600s;
            proxy_send_timeout 3600s;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}