# Nombre de processus worker (1 suffit pour un usage local)
worker_processes 1;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    sendfile on;
    keepalive_timeout 65;

    # === Résolution DNS dynamique (clé pour Kubernetes) ===
    resolver 10.96.0.10 valid=5s ipv6=off;  # IP de CoreDNS
    resolver_timeout 10s;

    # === Backend : service Kubernetes (port 80, pas 8000) ===
    upstream backend {
        zone backend 64k;
        server devops-app-service.devops-demo.svc.cluster.local:80 resolve;
    }

    # === REDIRECTION HTTP → HTTPS ===
    server {
        listen 80;
        listen [::]:80;
        server_name localhost;

        location / {
            return 301 https://$host$request_uri;
        }
    }

    # === SERVEUR HTTPS ===
    server {
        listen 443 ssl;
        server_name localhost;

        ssl_certificate     /etc/nginx/certs/tls.crt;
        ssl_certificate_key /etc/nginx/certs/tls.key;

        add_header Strict-Transport-Security "max-age=31536000" always;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;

        location / {
            proxy_pass http://backend;

            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            # Support WebSocket
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }
}