# ============================================================
# SBC Admin — Nginx Configuration (Ring2All Platform)
# File: /etc/nginx/sites-available/softswitch-sbc
# Installed by: softswitch-sbc package
#
# Frontend : /var/www/softswitch/sbc/
# API      : http://127.0.0.1:3003  (sbc-api.service)
# SSL      : /etc/nginx/ssl/nginx.{crt,key}
# ============================================================

upstream sbc_api {
    server 127.0.0.1:3003;
    keepalive 32;
}

# ── HTTP → HTTPS Redirect ─────────────────────────────────────
server {
    listen 80;
    server_name _;

    access_log /var/log/nginx/sbc-admin_access.log;
    error_log  /var/log/nginx/sbc-admin_error.log warn;

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/softswitch/sbc/.well-known/acme-challenge/;
        default_type "text/plain";
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# ── HTTPS Server — SBC Admin Panel ───────────────────────────
server {
    listen 443 ssl;
    http2 on;
    server_name _;

    ssl_certificate     /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    ssl_protocols             TLSv1.2 TLSv1.3;
    ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache         shared:SSL:10m;
    ssl_session_timeout       1d;

    access_log /var/log/nginx/sbc-admin_ssl_access.log;
    error_log  /var/log/nginx/sbc-admin_ssl_error.log warn;

    add_header X-Frame-Options           SAMEORIGIN                             always;
    add_header X-Content-Type-Options    nosniff                                always;
    add_header X-XSS-Protection          "1; mode=block"                        always;
    add_header Referrer-Policy           strict-origin-when-cross-origin        always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"  always;

    # ── REST API (/api/) ─────────────────────────────────────
    location /api/ {
        proxy_pass            http://sbc_api;
        proxy_http_version    1.1;
        proxy_set_header      Upgrade           $http_upgrade;
        proxy_set_header      Connection        'upgrade';
        proxy_set_header      Host              $host;
        proxy_set_header      X-Real-IP         $remote_addr;
        proxy_set_header      X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header      X-Forwarded-Proto $scheme;
        proxy_cache_bypass    $http_upgrade;
        proxy_read_timeout    300s;
        proxy_connect_timeout 60s;
        proxy_send_timeout    300s;
        client_max_body_size  50M;
    }

    # ── WebSocket (/ws/) ─────────────────────────────────────
    location /ws/ {
        proxy_pass         http://sbc_api;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header   Host       $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_read_timeout  86400s;
        proxy_send_timeout  86400s;
        proxy_connect_timeout 60s;
    }

    # ── Health check ──────────────────────────────────────────
    location = /health {
        proxy_pass         http://sbc_api/health;
        access_log off;
        proxy_read_timeout 5s;
    }

    # ── Static assets ─────────────────────────────────────────
    location ~* \.(js|css|woff2?|ttf|eot|svg|png|jpg|ico|webp|map)$ {
        root       /var/www/softswitch/sbc;
        expires    1y;
        add_header Cache-Control "public, immutable";
        access_log off;
        try_files  $uri =404;
    }

    # ── SPA ───────────────────────────────────────────────────
    location / {
        root  /var/www/softswitch/sbc;
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}
