# Newbury Nights — nginx reverse proxy example
#
# Camera (getUserMedia) and DeviceOrientation require a secure context,
# so the site MUST be served over HTTPS. nginx terminates TLS here and
# forwards plain HTTP to the Node app on 127.0.0.1:33033.
#
# Adjust server_name, certificate paths, and the upstream port to taste.

upstream newbury_nights {
    server 127.0.0.1:33033;
    keepalive 32;
}

# Redirect HTTP -> HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name newbury.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name newbury.example.com;

    # --- TLS (point these at your real certs, e.g. from certbot) ---
    ssl_certificate     /etc/letsencrypt/live/newbury.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/newbury.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    # Allow uploaded ghost GIFs/images up to the app's 8MB limit (+ headroom).
    client_max_body_size 10m;

    # Let the Node app see it's behind TLS (so secure cookies / trust proxy work).
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Connection "";

    # Cache static assets served by the app.
    location ~* \.(?:css|js|gif|png|jpe?g|webp|svg|woff2?)$ {
        proxy_pass http://newbury_nights;
        proxy_cache_valid 200 1h;
        expires 1h;
        add_header Cache-Control "public";
    }

    location / {
        proxy_pass http://newbury_nights;
    }
}