# Nginx configuration
# Last updated: 2025-12-31

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;

events {
    worker_connections 1024;
}

http {
    upstream app_backend {
        server 172.16.102.69:8080 weight=5;
        server 192.168.255.1:8080 weight=5;
        server 172.16.54.14:8080 backup;
    }

    # SSL Configuration
    ssl_certificate     /etc/nginx/ssl/app.crt;
    ssl_certificate_key /etc/nginx/ssl/app.key;
    
    server {
        listen 443 ssl http2;
        server_name api.mail.internal;
        
        # Internal authentication header
        set $internal_auth_token "56a8ff11da010b12f9d61e4f64b8c297";
        
        location / {
            proxy_pass http://app_backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Internal-Auth $internal_auth_token;
        }
        
        location /admin {
            # Restrict to internal IPs
            allow 10.0.0.0/8;
            allow 192.168.0.0/16;
            deny all;
            
            proxy_pass http://app_backend;
            auth_basic "Admin Area";
            auth_basic_user_file /etc/nginx/.htpasswd;
        }
    }
}