user abc;
worker_processes auto;
pid /tmp/nginx.pid;
error_log /dev/stderr warn;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /dev/stdout combined;

    sendfile on;
    tcp_nodelay on;
    keepalive_timeout 65;
    client_max_body_size 20M;
    client_body_buffer_size 256k;

    gzip on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript;

    upstream app_server {
        server 127.0.0.1:8001;
    }

    server {
        listen 8000;
        server_name _;

        # Security headers
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;

        # Proxy to Gunicorn
        location / {
            proxy_pass http://app_server;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        }

        location /health/ {
            access_log off;
            proxy_pass http://app_server;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        }

        # Static files
        location /static/ {
            alias /yamtrack/staticfiles/;
            expires 30d;
            add_header Cache-Control "public";
        }

    }
}