# Nginx configuration for payment.taifaguard.co.ke
# Place this file in /etc/nginx/sites-available/payment.taifaguard.co.ke
# Then create a symlink: sudo ln -s /etc/nginx/sites-available/payment.taifaguard.co.ke /etc/nginx/sites-enabled/

upstream payment_backend {
    server 127.0.0.1:8080;
    # Add more servers for load balancing if needed
    # server 127.0.0.1:8081;
}

# Rate limiting zones (add to nginx.conf http block or here)
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=payment:10m rate=20r/m;

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name payment.taifaguard.co.ke;

    # Redirect all HTTP requests to HTTPS
    return 301 https://$server_name$request_uri;
}

# HTTPS server configuration
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name payment.taifaguard.co.ke;

    # SSL certificate paths (update these with your actual certificate paths)
    # For Let's Encrypt, these are typically:
    # ssl_certificate /etc/letsencrypt/live/payment.taifaguard.co.ke/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/payment.taifaguard.co.ke/privkey.pem;
    ssl_certificate /etc/ssl/certs/payment.taifaguard.co.ke.crt;
    ssl_certificate_key /etc/ssl/private/payment.taifaguard.co.ke.key;

    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;

    # Logging
    access_log /var/log/nginx/payment.taifaguard.co.ke.access.log;
    error_log /var/log/nginx/payment.taifaguard.co.ke.error.log;

    # Client settings
    client_max_body_size 10M;
    client_body_timeout 60s;
    client_header_timeout 60s;

    # Proxy settings
    proxy_connect_timeout 60s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;
    proxy_buffering on;
    proxy_buffer_size 4k;
    proxy_buffers 8 4k;
    proxy_busy_buffers_size 8k;

    # Health check endpoint (no rate limiting)
    location /health {
        proxy_pass http://payment_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        access_log off;
    }

    # Metrics endpoint (restricted access - localhost only)
    location /metrics {
        allow 127.0.0.1;
        deny all;
        
        proxy_pass http://payment_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Client login endpoint (stricter rate limiting)
    location /api/v1/clients/login {
        limit_req zone=login burst=5 nodelay;
        
        proxy_pass http://payment_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Payment initiation endpoint (stricter rate limiting)
    location /api/v1/payments/initiate {
        limit_req zone=payment burst=10 nodelay;
        
        proxy_pass http://payment_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
    }

    # Payment status endpoint (stricter rate limiting)
    location /api/v1/payments/status {
        limit_req zone=payment burst=10 nodelay;
        
        proxy_pass http://payment_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # M-Pesa callback endpoint (no rate limiting for webhooks)
    location /api/v1/callbacks/mpesa {
        proxy_pass http://payment_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Allow M-Pesa IP ranges (update with actual M-Pesa IPs if known)
        # allow 196.201.214.0/24;
        # allow 196.201.215.0/24;
        # deny all;
    }

    # Public package endpoints (no rate limiting)
    location /api/v1/packages/public {
        proxy_pass http://payment_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # General API endpoints
    location /api/ {
        limit_req zone=api burst=20 nodelay;
        
        proxy_pass http://payment_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Default location
    location / {
        return 404;
    }
}