# Example Nginx Reverse Proxy Configuration for Streamlit Training Monitor
# This config handles WebSocket connections needed for Streamlit's real-time updates

# HTTP server block (redirects to HTTPS)
server {
    listen 80;
    server_name llm.winkinshly.site;  # Replace with your domain
    return 301 https://$server_name$request_uri;
}

# HTTPS server block
server {
    listen 443 ssl http2;
    server_name llm.winkinshly.site;  # Replace with your domain

    # SSL certificate paths - replace with your actual certificate paths
    ssl_certificate /etc/letsencrypt/live/llm.winkinshly.site/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/llm.winkinshny.site/privkey.pem;

    # SSL optimization
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    # CORS headers - important for cross-origin requests
    add_header Access-Control-Allow-Origin "*";
    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
    add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range";
    add_header Access-Control-Expose-Headers "Content-Length,Content-Range";

    # Root location for static files (optional)
    location / {
        root /var/www/html;
        index index.html;
    }

    # Main Streamlit application proxy
    location / {
        # Proxy to your Streamlit server
        proxy_pass http://localhost:8501;  # Change port if your Streamlit runs on different port

        # Basic proxy settings
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support - CRITICAL for Streamlit
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Buffer settings
        proxy_buffering off;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;

        # Timeout settings (important for WebSockets)
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;

        # Disable buffering for WebSocket connections
        proxy_redirect off;
    }

    # Specific handling for Streamlit WebSocket endpoint
    location ~ ^/_stcore/ {
        # Proxy to your Streamlit server
        proxy_pass http://localhost:8501;

        # WebSocket headers
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Remove CORS restrictions for WebSocket
        add_header Access-Control-Allow-Origin "*" always;

        # Important WebSocket settings
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Timeouts for WebSocket connections
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;

        # Disable buffering
        proxy_buffering off;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }

    # Health check endpoint (optional)
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }
}

# HTTP-only configuration (if you don't want SSL)
# server {
#     listen 80;
#     server_name llm.winkinshly.site;  # Replace with your domain
#
#     # CORS headers
#     add_header Access-Control-Allow-Origin "*";
#     add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
#     add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range";
#
#     location / {
#         proxy_pass http://localhost:8501;
#
#         # Basic headers
#         proxy_set_header Host $host;
#         proxy_set_header X-Real-IP $remote_addr;
#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_set_header X-Forwarded-Proto $scheme;
#
#         # WebSocket support
#         proxy_http_version 1.1;
#         proxy_set_header Upgrade $http_upgrade;
#         proxy_set_header Connection "upgrade";
#
#         # Timeouts
#         proxy_connect_timeout 7d;
#         proxy_send_timeout 7d;
#         proxy_read_timeout 7d;
#
#         proxy_buffering off;
#     }
#
#     location ~ ^/_stcore/ {
#         proxy_pass http://localhost:8501;
#
#         proxy_http_version 1.1;
#         proxy_set_header Upgrade $http_upgrade;
#         proxy_set_header Connection "upgrade";
#
#         proxy_set_header Host $host;
#         proxy_set_header X-Real-IP $remote_addr;
#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
#         proxy_connect_timeout 7d;
#         proxy_send_timeout 7d;
#         proxy_read_timeout 7d;
#
#         proxy_buffering off;
#     }
# }