# Example nginx configuration for SeaweedFS S3 API reverse proxy
# See README.md in this directory for detailed explanation

upstream seaweedfs_s3 {
    # Point to your SeaweedFS S3 service
    server s3:8333;
    # For local development: server 127.0.0.1:8333;
    
    # Keep connections alive for better performance
    keepalive 32;
}

server {
    listen 443 ssl http2;
    server_name _;  # Replace with your domain

    # SSL Configuration
    ssl_certificate     /etc/nginx/certs/server.crt;
    ssl_certificate_key /etc/nginx/certs/server.key;
    
    # Optional: Client certificate authentication (mTLS)
    # ssl_client_certificate /etc/nginx/certs/ca.crt;
    # ssl_verify_client optional;
    # ssl_verify_depth 2;

    # Logging
    access_log /var/log/nginx/s3-access.log;
    error_log /var/log/nginx/s3-error.log;

    # Client upload limits
    client_max_body_size 0;  # No limit for S3 uploads
    client_body_timeout 300s;
    
    # CRITICAL: Disable buffering for AWS chunked uploads
    proxy_buffering off;
    proxy_request_buffering off;

    # HTTP version and connection settings
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    
    # Timeouts
    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;

    location / {
        proxy_pass http://seaweedfs_s3;

        # CRITICAL: Preserve original Host header including port
        # Use $http_host instead of $host to preserve the port
        proxy_set_header Host $http_host;

        # CRITICAL: Pass all headers through unchanged
        # AWS Signature V4 includes these in signature calculation
        proxy_pass_request_headers on;

        # Optional: Forward client IP information
        # (These are NOT part of AWS signature)
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # CRITICAL: Do not modify request body
        proxy_pass_request_body on;

        # Ignore invalid headers (S3 may send non-standard headers)
        ignore_invalid_headers off;
    }

    # Health check endpoint
    location /health {
        return 200 "OK\n";
        add_header Content-Type text/plain;
    }
}

# Optional: HTTP to HTTPS redirect
server {
    listen 80;
    server_name _;
    return 301 https://$host$request_uri;
}