# VPN Gateway Nginx Configuration
# Place in: /etc/nginx/sites-available/vpn-gateway

# Rate limiting zones
limit_req_zone $binary_remote_addr zone=vpn_general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=vpn_api:10m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=vpn_conn:10m;

# Upstream backend
upstream vpn_backend {
    server 127.0.0.1:5000 fail_timeout=10s;
    keepalive 32;
}

server {
    listen 80;
    listen [::]:80;
    server_name _;
    
    # Access and error logs
    access_log /var/log/nginx/vpn-gateway.access.log;
    error_log /var/log/nginx/vpn-gateway.error.log;
    
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:;" always;
    
    # Connection limits
    limit_conn vpn_conn 10;
    
    # Client body size (for config uploads)
    client_max_body_size 1M;
    client_body_buffer_size 128k;
    
    # Timeouts
    client_body_timeout 10s;
    client_header_timeout 10s;
    send_timeout 10s;
    
    # Root location - WebUI
    location / {
        limit_req zone=vpn_general burst=20 nodelay;
        
        proxy_pass http://vpn_backend;
        proxy_http_version 1.1;
        
        # Headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # WebSocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        # Timeouts for proxy
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        
        # Buffering
        proxy_buffering off;
        proxy_request_buffering off;
    }
    
    # API endpoints - stricter rate limiting
    location /api/ {
        limit_req zone=vpn_api burst=10 nodelay;
        limit_conn vpn_conn 5;
        
        proxy_pass http://vpn_backend;
        proxy_http_version 1.1;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        # API specific timeouts
        proxy_connect_timeout 30s;
        proxy_send_timeout 30s;
        proxy_read_timeout 30s;
    }
    
    # Static files (if any)
    location /static/ {
        alias /opt/vpn-gateway/static/;
        expires 1h;
        add_header Cache-Control "public, immutable";
    }
    
    # Health check endpoint
    location /health {
        access_log off;
        add_header Content-Type text/plain;
        return 200 "healthy\n";
    }
    
    # Block sensitive paths
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
    
    # Block access to backup files
    location ~ ~$ {
        deny all;
    }
}

# HTTPS configuration (optional - uncomment if using SSL)
# server {
#     listen 443 ssl http2;
#     listen [::]:443 ssl http2;
#     server_name vpn.yourdomain.com;
#     
#     ssl_certificate /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem;
#     
#     # SSL configuration
#     ssl_protocols TLSv1.2 TLSv1.3;
#     ssl_ciphers HIGH:!aNULL:!MD5;
#     ssl_prefer_server_ciphers on;
#     ssl_session_cache shared:SSL:10m;
#     ssl_session_timeout 10m;
#     
#     # HSTS
#     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
#     
#     # Rest of configuration same as above...
# }