server {
    listen 127.0.0.1:4443 ssl http2;
    listen [::1]:4443 ssl http2;
    server_name share.uuxo.net;

    # SSL settings
    ssl_certificate /etc/nginx/ssl/uuxo_nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/uuxo_nginx.key;
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

    # Enhanced large file upload settings for 1GB+ multi-transfer
    client_max_body_size 10G;
    client_body_timeout 7200s;     # 2 hours for large uploads
    client_header_timeout 300s;
    client_body_buffer_size 2m;    # Increased buffer for large files
    send_timeout 7200s;            # 2 hours to match server timeouts

    # Main location for uploads
    location / {
        # REMOVE CORS handling from nginx - let the server handle it
        # This fixes conflicts with enhanced multi-upload CORS headers
        
        # Proxy settings
        proxy_pass http://127.0.0.1:8080/;

        # Forward client's IP and protocol details
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;

        # Disable buffering for large uploads
        proxy_request_buffering off;
        proxy_buffering off;
        proxy_max_temp_file_size 0;

        # Enhanced timeout settings for large file uploads (2 hours)
        proxy_connect_timeout 7200s;
        proxy_send_timeout    7200s;
        proxy_read_timeout    7200s;
        keepalive_timeout     1800s;   # 30 minutes for multi-upload sessions

        # Connection persistence and resilience for multi-transfer
        proxy_socket_keepalive on;
        proxy_next_upstream error timeout http_502 http_503 http_504;
        proxy_next_upstream_timeout 7200s;
        proxy_next_upstream_tries 3;   # Allow retries for large file failures

        # Enhanced error handling for large files
        proxy_intercept_errors off;    # Let server handle errors directly
    }

    # Block access to specific files
    location = /upload/robots.txt {
        deny all;
        return 403;
    }

    location = /upload/sitemaps.xml {
        deny all;
        return 403;
    }

    # Enhanced logging for large file debugging
    error_log /var/log/nginx/upload_errors.log debug;
    access_log /var/log/nginx/upload_access.log combined;
}