# /etc/nginx/sites-available/gendvva.ru
server {
    listen 80;
    server_name gendvva.ru www.gendvva.ru;

    # Redirect all HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name gendvva.ru www.gendvva.ru;

    # SSL certs
    ssl_certificate     /home/dvvva/ssl/gendvva.crt;
    ssl_certificate_key /home/dvvva/ssl/gendvva.key;

    # Recommended TLS settings (simple, sane defaults)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    # HSTS (optional, enable only if you're sure you serve HTTPS 100%)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Security headers (minimal set)
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";

    # Serve static files directly
    location /static/ {
        alias /home/dvvva/longevity_project/gendvva-site/static/;
        access_log off;
        expires 30d;
    }

    # Proxy the app
    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 60;
        client_max_body_size 10m;
    }

    # Optional: health check
    location = /health {
        access_log off;
        return 200 'ok';
        add_header Content-Type text/plain;
    }
}