user  nginx;
worker_processes  auto;

# Log de errores con máximo nivel de detalle
error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # ─── FORMATO DE LOG FORENSE EXTENDIDO ───────────────────────────────────────
    log_format forensic_main
        '$remote_addr - $remote_user [$time_local] '
        '"$request" $status $body_bytes_sent '
        '"$http_referer" "$http_user_agent" '
        '"$http_x_forwarded_for" "$http_x_real_ip" '
        'rt=$request_time '                        # Tiempo total de la petición
        'uct="$upstream_connect_time" '            # Tiempo de conexión upstream
        'uht="$upstream_header_time" '             # Tiempo de cabeceras upstream
        'urt="$upstream_response_time" '           # Tiempo de respuesta upstream
        'cs=$upstream_cache_status '               # Estado de caché
        'ssl_protocol="$ssl_protocol" '            # Protocolo SSL usado
        'ssl_cipher="$ssl_cipher" '                # Cifrado SSL
        'ssl_session_id="$ssl_session_id" '        # ID sesión TLS (rastreo)
        'conn=$connection '                        # ID de conexión
        'conn_reqs=$connection_requests '          # Peticiones por conexión
        'pipe=$pipe '                              # Pipelining (y/n)
        'host="$host" '                            # Host solicitado
        'server_name="$server_name" '
        'scheme="$scheme" '
        'request_method="$request_method" '
        'request_uri="$request_uri" '
        'server_port="$server_port" '
        'http_version="$server_protocol" '
        'bytes_sent=$bytes_sent '                  # Total bytes enviados
        'request_length=$request_length '          # Tamaño de la petición
        'req_id="$request_id"';                    # ID único por petición

    # Formato adicional para headers sensibles / seguridad
    log_format forensic_headers
        '$remote_addr [$time_local] req_id="$request_id" '
        'Authorization="$http_authorization" '
        'Cookie="$http_cookie" '
        'Content-Type="$content_type" '
        'Content-Length="$content_length" '
        'Accept="$http_accept" '
        'Accept-Language="$http_accept_language" '
        'Accept-Encoding="$http_accept_encoding" '
        'Origin="$http_origin" '
        'Sec-Fetch-Site="$http_sec_fetch_site" '
        'Sec-Fetch-Mode="$http_sec_fetch_mode" '
        'Sec-Fetch-Dest="$http_sec_fetch_dest" '
        'X-Custom-Header="$http_x_custom_header"';

    # ─── ARCHIVOS DE LOG ────────────────────────────────────────────────────────
    access_log  /var/log/nginx/access.log         forensic_main   buffer=16k flush=1s;
    access_log  /var/log/nginx/headers.log        forensic_headers buffer=16k flush=1s;
    error_log   /var/log/nginx/error.log          debug;

    # ─── OPCIONES GENERALES ─────────────────────────────────────────────────────
    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;
    keepalive_timeout  65;
    server_tokens   off;  # No revelar versión en respuestas (buena práctica)

    # Añadir request_id único a cada petición
    add_header X-Request-ID $request_id always;

    # ─── SERVER BLOCK LARAVEL ───────────────────────────────────────────────────
    server {
    listen 80;
    server_name _;
    root /var/www/repuve-backend-v1/public;
    index index.php index.html;

    # Logging con formatos forenses (definidos en nginx.conf principal)
    error_log  /var/log/nginx/error.log debug;
    access_log /var/log/nginx/access.log forensic_main;

    # Handle Laravel routes (Front Controller)
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # Handle PHP files
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass repuve-backend:9000;
        fastcgi_index index.php;

        # Timeouts importantes para evitar errores 500
        fastcgi_read_timeout 300;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;

        # Carga los parámetros por defecto
        include fastcgi_params;

        # Parámetros críticos para Laravel
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param REQUEST_URI $request_uri;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_param HTTP_HOST $http_host;
        fastcgi_param HTTPS $https if_not_empty;
        fastcgi_param HTTP_PROXY "";
        
        # Añadir Request ID al backend para tracking
        fastcgi_param HTTP_X_REQUEST_ID $request_id;
    }

    client_max_body_size 150M;

    # Handle storage files (Laravel storage link)
    location /storage/ {
        alias /var/www/repuve-backend-v1/storage/app/public/;
    }

    location /profile {
        alias /var/www/repuve-backend-v1/storage/app/profile;
        try_files $uri =404;
    }

    location /images {
        alias /var/www/repuve-backend-v1/storage/app/images;
        try_files $uri =404;
    }

    # Denegar acceso a archivos ocultos como .htaccess
    location ~ /\.ht {
        deny all;
    }
}
}