map $http_origin $cors_origin {
    default '';
    '~^https://.*\.replit\.dev$'  $http_origin;
    '~^https://.*\.repl\.co$'     $http_origin;
    'https://uno-click.pip-test.ru' $http_origin;
}

map $http_origin $proxy_origin {
    default         $http_origin;
    '~^https://.*\.replit\.dev$'  'https://uno-click.pip-test.ru';
    '~^https://.*\.repl\.co$'     'https://uno-click.pip-test.ru';
}

log_format upload_log '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" rt=$request_time '
                      'content_length=$http_content_length';

server {
    listen 80;
    server_name uno-click.pip-test.ru;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name uno-click.pip-test.ru;

    ssl_certificate /etc/letsencrypt/live/uno-click.pip-test.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/uno-click.pip-test.ru/privkey.pem;

    # HTTP/1.1 только для upload endpoint (отключаем HTTP/2 flow control)
    # Основной сайт остаётся с HTTP/2
    location /s3-upload/ {
        access_log /var/log/nginx/s3-upload.log upload_log;

        rewrite ^/s3-upload/(.*)$ /$1 break;

        proxy_pass http://127.0.0.1:9000;
        proxy_http_version 1.1;

        proxy_set_header Host "minio:9000";
        proxy_set_header Connection "close";

        chunked_transfer_encoding off;
        proxy_request_buffering off;

        client_max_body_size 500M;

        proxy_connect_timeout 600s;
        proxy_send_timeout 600s;
        proxy_read_timeout 600s;

        proxy_pass_header Authorization;
        proxy_pass_header Content-MD5;
        proxy_pass_header Content-Type;
        proxy_pass_header Content-Length;

        # CORS headers - только ОДИН раз
        add_header 'Access-Control-Allow-Origin' 'https://uno-click.pip-test.ru' always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, x-csrf-token, x-amz-*' always;
    }

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300;
        proxy_send_timeout 300;
        proxy_cookie_path / /;
    }

    location /api/ {
        proxy_pass http://127.0.0.1:3001;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cookie_path / /;
        proxy_request_buffering off;
        proxy_buffering off;
        client_max_body_size 500M;
    }

    location /files/ {
        proxy_pass http://127.0.0.1:9000/uno-click/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 100M;
        add_header Cache-Control 'public, max-age=31536000, immutable';
    }
}