# ==============================================================================
# ARQUIVO: /etc/nginx/sites-available/gps.oestepan.com.br.conf
# AUTOR:   Gemini (Especialista NGINX)
# DATA:    27/01/2026
#
# CONTEXTO:
# Proxy Reverso para Traccar GPS (OESTEPAN).
# ModSecurity (WAF) termina o SSL e envia tráfego descriptografado para a porta 8080.
# ==============================================================================

upstream traccar_backend {
    server host.docker.internal:8083;
    keepalive 32;
}

# ------------------------------------------------------------------------------
# BLOCO PRINCIPAL: Porta 8080 (Tráfego vindo do ModSecurity)
# ------------------------------------------------------------------------------
server {
    listen 8080;
    listen [::]:8080;
    server_name gps.oestepan.com.br;

    include /etc/nginx/snippets/acme_challenge.conf;

    limit_req zone=global_limit burst=20 nodelay;

    # ============================================================================
    # LOGS
    # ============================================================================
    client_max_body_size 50M;
    access_log /var/log/nginx/gps.oestepan.com.br.access.log detailed_proxy;
    error_log /var/log/nginx/gps.oestepan.com.br.error.log warn;

    # ============================================================================
    # ROTAS (Sem SSL pois o WAF já terminou a encriptação)
    # ============================================================================

    # 1. WebSocket
    location /api/socket {
        proxy_pass http://traccar_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
        
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
    }

    # 2. Rota Principal
    location / {
        proxy_pass http://traccar_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
        
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_read_timeout 90s;
    }
}

# ------------------------------------------------------------------------------
# BLOCO DUMMY: Apenas para que o script renew_ssl.sh encontre os caminhos do SSL
# ------------------------------------------------------------------------------
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name gps.oestepan.com.br;

    # Important: These paths MUST be in /etc/nginx/ssl/ (shared volume)
    # so ModSecurity can access them. renew_ssl.sh will copy the certs here.
    ssl_certificate /etc/nginx/ssl/gps.oestepan.com.br.fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/gps.oestepan.com.br.privkey.pem;

    # Retorna 444 (No Response) se alguém tentar conectar direto (bypass WAF)
    location / {
        return 444;
    }
}