events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # Logging
    access_log /var/log/nginx/access.log;
    error_log  /var/log/nginx/error.log;

    # Gzip
    gzip on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml;

    # Rate limiting
    limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
    limit_req_zone $binary_remote_addr zone=api:10m   rate=60r/m;

    upstream flask {
        server backend:5000;
    }

    server {
        listen 80;
        server_name _;

        # Security headers
        add_header X-Frame-Options       "SAMEORIGIN"   always;
        add_header X-Content-Type-Options "nosniff"      always;
        add_header X-XSS-Protection      "1; mode=block" always;

        client_max_body_size 10M;

        # Rate limiting op login
        location /auth/login {
            limit_req zone=login burst=5 nodelay;
            proxy_pass         http://flask;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        # Rate limiting op API
        location /api/ {
            limit_req zone=api burst=20 nodelay;
            proxy_pass         http://flask;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        # Alle andere requests
        location / {
            proxy_pass         http://flask;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_read_timeout 60s;
        }
    }
}