# Template Nginx per servizi containerizzati
# Sostituisci [DOMAIN], [UPSTREAM_NAME], [UPSTREAM_SERVER] con i valori appropriati

server {
    listen 80;
    server_name models.ai.duckpage.net;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name models.ai.duckpage.net;
    charset utf-8;
    keepalive_timeout 70;

    # SSL
    ssl_certificate /etc/nginx/ssl/live/ai.duckpage.net/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/ai.duckpage.net/privkey.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # SSL Protocols and Ciphers
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp521r1:secp384r1;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/live/ai.duckpage.net/fullchain.pem;
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
    resolver_timeout 5s;

    client_max_body_size 512M;
    client_body_buffer_size 128k;

    # Gzip
    gzip_types text/plain text/xml text/css application/xhtml+xml application/xml image/svg+xml application/rss+xml application/atom_xml application/javascript application/x-javascript application/x-httpd-php application/x-httpd-fastphp application/x-httpd-eruby;


    # Main Proxy
    location /v1 {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        proxy_connect_timeout 600;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        send_timeout 600;

        proxy_redirect off;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://llamacpp:8080/v1;
    }

    location / {
        # Allow specific IPs (replace with your actual IPs)
        allow 127.0.0.1;
        allow ::1;
        allow 10.50.210.0/24;
        allow 10.0.80.0/24;
        # Add more allow lines for specific IPs, e.g., allow 192.168.1.0/24;
        deny all;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        proxy_connect_timeout 600;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        send_timeout 600;

        proxy_redirect off;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://llamacpp:8080;
    }

    location ~ /\.ht {
        deny all;
    }
}