# GNSS Guard Server - Nginx Configuration
# This file is used for initial setup (HTTP only)
# After SSL setup, this file is replaced with the SSL configuration

upstream gnss_server {
    server gnss-server:8000;
}

# =============================================================================
# IP WHITELIST FOR DASHBOARD ACCESS
# =============================================================================
# These IPs can access the web dashboard and admin endpoints.
# The validation API endpoints (/api/v1/validation*) are open to all.
#
# To update: edit this file and run ./deploy_server.sh --restart
# =============================================================================

geo $ip_whitelist {
    default         0;
    
    # Office IPs - Whitelisted for dashboard access
    213.149.164.73  1;  # Socrates Office 5G
    87.228.228.45   1;  # Thaleias Office
    93.109.218.195  1;  # HQ Cyta
    65.18.217.50    1;  # HQ Cablenet
    93.109.218.196  1;  # HQ Cyta 2
    62.228.7.94     1;  # Socrates Home 3
    195.97.70.162   1;  # Piraeus Office
    
    # Localhost only (for internal health checks)
    127.0.0.1       1;
    # NOTE: Docker internal networks (10.0.0.0/8, 172.16.0.0/12) are NOT whitelisted
    # to prevent privilege escalation if an attacker gains container access
}

# HTTP server
server {
    listen 80;
    server_name _;

    # Let's Encrypt challenge location - always open
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # =========================================================================
    # PUBLIC ENDPOINTS - Open to all (asset token authentication)
    # =========================================================================
    
    # Validation API - accessible from anywhere (clients authenticate with tokens)
    location /api/v1/validation {
        proxy_pass http://gnss_server;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 300;
        proxy_connect_timeout 300;
    }

    # Health check endpoint - open
    location /health {
        proxy_pass http://gnss_server;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    # =========================================================================
    # RESTRICTED ENDPOINTS - Office IPs only (session authentication)
    # =========================================================================
    
    # All other endpoints require IP whitelist
    location / {
        # Check IP whitelist
        # TEMPORARILY DISABLED - uncomment to re-enable IP whitelisting
        # if ($ip_whitelist = 0) {
        #     return 403;
        # }
        
        proxy_pass http://gnss_server;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300;
        proxy_connect_timeout 300;
    }

    # Custom error page for 403
    error_page 403 /403.html;
    location = /403.html {
        internal;
        default_type text/html;
        return 403 '<!DOCTYPE html><html><head><title>Access Denied</title><style>body{font-family:sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#060b10;color:#e5e9f5;}.container{text-align:center;}.title{font-size:48px;margin-bottom:20px;color:#c62828;}.msg{font-size:18px;color:#9aa3b8;}</style></head><body><div class="container"><div class="title">403</div><div class="msg">Access Denied<br>Your IP is not authorized to access this resource.</div></div></body></html>';
    }
}