server {
    listen 80;
    server_name couch.novicelab.io;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl; # http2;
    server_name couch.novicelab.io;

    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    set $couch_backend 10.0.0.251:5984;

    # # Block access to _utils (Fauxton) in production
    # location /_utils {
    #     deny all;
    #     return 403;
    # }

    # # Block _config endpoint externally
    # location /_config {
    #     deny all;
    #     return 403;
    # }

    # # Block _node endpoint externally
    # location /_node {
    #     # deny all;
    #     # return 403;
    #     proxy_pass         http://$couch_backend/_node; 
    #     proxy_redirect     off;
    #     proxy_set_header   Host $host;
    #     proxy_set_header   X-Real-IP $remote_addr;
    #     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header   X-Forwarded-Proto $scheme;

    #     # Timeouts
    #     proxy_connect_timeout 10s;
    #     proxy_read_timeout    60s;
    # }

    location / {
        # Handle CORS preflight without hitting CouchDB auth
        if ($request_method = OPTIONS) {
            add_header Access-Control-Allow-Origin  $http_origin always;
            add_header Access-Control-Allow-Methods "GET, PUT, POST, HEAD, DELETE, OPTIONS" always;
            add_header Access-Control-Allow-Headers "accept, authorization, content-type, origin, referer, x-csrf-token" always;
            add_header Access-Control-Allow-Credentials "true" always;
            add_header Access-Control-Max-Age 3600;
            add_header Content-Length 0;
            add_header Content-Type text/plain;
            return 204;
        }

        # Pass all other requests to CouchDB
        # proxy_pass              http://127.0.0.1:5984;
        proxy_pass         http://$couch_backend/;
        proxy_redirect          off;
        proxy_buffering         off;
        proxy_method            $request_method;  
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        # Forward CORS headers from CouchDB responses too
        add_header Access-Control-Allow-Origin      $http_origin always;
        add_header Access-Control-Allow-Credentials "true" always;

        proxy_connect_timeout 10s;
        proxy_read_timeout    60s;

        # Headers for WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}