# ---- nginx: Plain HTTP (no TLS, no mTLS) ----
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name _;

    # ---- Frontend static files ----
    root /usr/share/nginx/html;
    index index.html;

    # ---- Logging ----
    access_log /var/log/nginx/insight-access.log;
    error_log  /var/log/nginx/insight-error.log warn;

    # ---- Frontend + WebSocket proxy ----
    location / {
        if ($request_uri = "/") {
            return 302 $scheme://$http_host/?proxy=true;
        }

        proxy_http_version 1.1;
        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host       $host;
        proxy_read_timeout 86400s;

        # When WebSocket upgrade detected, proxy to backend
        if ($is_websocket) {
            proxy_pass http://127.0.0.1:9000;
            break;
        }

        # Otherwise serve static files with SPA fallback
        try_files $uri $uri/ /index.html;
    }

    # ---- Health check ----
    location /health {
        access_log off;
        default_type text/plain;
        return 200 'OK';
    }

    # ---- Deny hidden files ----
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
}