# Nginx Configuration for Isolation System
# Pass real client IP to Next.js for auto-detection

server {
    listen 80;
    listen [::]:80;
    server_name billing.yourdomain.com;  # Ganti dengan domain Anda

    # Redirect HTTP to HTTPS (optional, tapi recommended)
    # return 301 https://$server_name$request_uri;

    location / {
        proxy_pass http://localhost:3000;  # Next.js default port
        proxy_http_version 1.1;
        
        # Pass client information
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        
        # ⚠️ CRITICAL: Pass real client IP for isolation detection
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        proxy_cache_bypass $http_upgrade;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name billing.yourdomain.com;  # Ganti dengan domain Anda

    # SSL Configuration (jika pakai SSL)
    ssl_certificate /etc/ssl/certs/your-cert.pem;
    ssl_certificate_key /etc/ssl/private/your-key.pem;
    
    # SSL Security
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        
        # ⚠️ CRITICAL: Pass real client IP
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        proxy_cache_bypass $http_upgrade;
    }
}

# ============================================
# INSTALLATION INSTRUCTIONS
# ============================================
#
# 1. Copy this file to: /etc/nginx/sites-available/salfanet-radius
#
# 2. Edit the file:
#    sudo nano /etc/nginx/sites-available/salfanet-radius
#    - Ganti billing.yourdomain.com dengan domain Anda
#    - Ganti path SSL certificate (jika pakai HTTPS)
#
# 3. Enable site:
#    sudo ln -s /etc/nginx/sites-available/salfanet-radius /etc/nginx/sites-enabled/
#
# 4. Test configuration:
#    sudo nginx -t
#
# 5. Reload Nginx:
#    sudo systemctl reload nginx
#
# 6. Check if X-Real-IP header is passed:
#    - Add console.log in middleware.ts
#    - Check logs: journalctl -u salfanet-radius -f
#
# ============================================

# ============================================
# CLOUDFLARE TUNNEL ALTERNATIVE
# ============================================
#
# Jika pakai Cloudflare Tunnel, tidak perlu Nginx config ini.
# Cloudflare sudah otomatis pass X-Real-IP header.
#
# Setup:
# 1. Install cloudflared
# 2. cloudflared tunnel create billing
# 3. cloudflared tunnel route dns billing billing.yourdomain.com
# 4. cloudflared tunnel run billing
#
# Keuntungan Cloudflare:
# - Auto HTTPS (SSL gratis)
# - DDoS protection
# - Global CDN
# - No port forwarding needed
#
# ============================================