# Nginx Master Configuration - Pathfinder Proxy
env TZ=America/Sao_Paulo;

# Load essential modules
load_module modules/ngx_http_modsecurity_module.so;
load_module modules/ngx_http_geoip2_module.so;
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
# load_module modules/ngx_http_cache_purge_module.so;
# load_module modules/ngx_http_upstream_fair_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_headers_more_filter_module.so;
load_module modules/ngx_http_subs_filter_module.so;
load_module modules/ngx_otel_module.so;
load_module modules/ngx_http_cookie_flag_filter_module.so;
# load_module modules/ngx_http_lower_upper_case_module.so;
load_module modules/ngx_http_image_filter_module.so;
# load_module modules/ngx_http_ssl_fingerprint_module.so;

user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;

events {
    worker_connections 16384;
    multi_accept on;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # GeoIP2 Databases (Pathfinder-Ready)
    geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
        auto_reload 5m;
        $geoip2_data_country_code default=XX country iso_code;
    }
    geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
        auto_reload 5m;
        $geoip2_data_city_name default=Unknown city names en;
        $geoip2_data_latitude location latitude;
        $geoip2_data_longitude location longitude;
        $geoip2_data_country_name country names en;
    }

    # Performance
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    proxy_headers_hash_bucket_size 512;
    client_max_body_size 0;
    keepalive_timeout 65;

    # --- Tuning Elite (Redução de I/O & Timeouts) ---
    # 1. Cache de Descritores de Arquivo
    open_file_cache max=200000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    # --- HTTP/2 Hardening (CVE-2025-8671: MadeYouReset Mitigation) ---
    http2_max_concurrent_streams 64;

    keepalive_requests 500;
    
    # 2. Conexões & Timeouts
    reset_timedout_connection on;
    client_body_timeout 12s;
    client_header_timeout 12s;
    send_timeout 10s;

    # 3. Buffers de Memória
    client_body_buffer_size 128k;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 4k;

    # 4. I/O Assíncrono (AIO Threads)
    # Requer recompilação com --with-threads. Ative após rodar o novo setup.
    aio threads;
    directio 4m;

    # Compression (Brotli + Gzip)
    include /etc/nginx/snippets/compression.conf;

    # Logging JSON (Detailed) - For Fail2Ban / Analysis
    include /etc/nginx/snippets/log_formats.conf;
    access_log /var/log/nginx/access_json.log detailed_proxy;
    
    # Logging Human Readable - For Docker Logs / User
    # access_log /dev/stdout combined;

    # SSL Settings (Global)
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # Shared Cache Zone (Pseudo-CDN)
    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=dynamic_cache:50m max_size=10g inactive=60m use_temp_path=off;

    # DNS Resolver (SSL Stapling & Upstreams)
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # Security Snippets
    include snippets/security_headers.conf; # Novos headers de 2026
    include snippets/security_maps.conf;
    include snippets/rate_limit.conf;
    include snippets/bandwidth_limit.conf;
    
    # Ativação Global da Blacklist
    include /etc/nginx/dynamic/blacklist.conf;

    # Site Configurations
    include /etc/nginx/conf.d/*.conf;
}