# Shared SPA locations. Browser calls same-origin /apnew/api/ (VITE_API_PREFIX=/apnew).
# /apnew/api/ avoids ALB listener rule that sends /api/* to an unreachable backend target group.
# Nginx proxies internally to ark-library-backend-1 (Tailscale); Host header for backend TLS.
# Legacy /api/ locations are commented below for reference only.
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_types text/plain text/css application/javascript application/json application/xml image/svg+xml;
gzip_min_length 256;

location ^~ /apnew/api/admin {
  return 404;
}
# Legacy same-origin /api admin block. Disabled while production uses /apnew/api.
# location ^~ /api/admin {
#   return 404;
# }
location ^~ /admin {
  return 404;
}

location ^~ /apnew/api/ {
  proxy_pass https://100.93.205.19/api/;
  proxy_http_version 1.1;
  proxy_ssl_server_name on;
  proxy_set_header Host api.ark-library.com;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  client_max_body_size 512m;
  client_body_timeout 600s;
  proxy_read_timeout 600s;
  proxy_send_timeout 600s;
}

# Legacy same-origin /api proxy. Disabled while production uses /apnew/api.
# location ^~ /api/ {
#   proxy_pass https://100.93.205.19/api/;
#   proxy_http_version 1.1;
#   proxy_ssl_server_name on;
#   proxy_set_header Host api.ark-library.com;
#   proxy_set_header X-Real-IP $remote_addr;
#   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#   proxy_set_header X-Forwarded-Proto $scheme;
#   client_max_body_size 512m;
#   client_body_timeout 600s;
#   proxy_read_timeout 600s;
#   proxy_send_timeout 600s;
# }

location ^~ /uploads/ {
  proxy_pass https://100.93.205.19/uploads/;
  proxy_http_version 1.1;
  proxy_ssl_server_name on;
  proxy_set_header Host api.ark-library.com;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}

location = /health {
  default_type text/plain;
  return 200 "ok\n";
}

location = /healthz {
  default_type text/plain;
  return 200 "ok\n";
}

location = /index.html {
  try_files $uri =404;
  add_header Cache-Control "no-cache, no-store, must-revalidate" always;
}

# Exact `/` so the HTML shell is never edge-cached without validators (avoids stale index.html → 404 on hashed /index-*.js or /assets/*).
location = / {
  try_files /index.html =404;
  add_header Cache-Control "no-cache, no-store, must-revalidate" always;
}

location = /assets/logo-primary.webp {
  try_files $uri =404;
  add_header Cache-Control "public, max-age=3600, stale-while-revalidate=86400" always;
}
location ^~ /assets/ark-library/ {
  try_files $uri =404;
  add_header Cache-Control "public, max-age=86400, stale-while-revalidate=604800" always;
}

location ^~ /assets/ {
  try_files $uri =404;
  add_header Cache-Control "public, max-age=31536000, immutable" always;
}

# Hashed entry chunk at /index-[hash].js (Vite entryFileNames). Do not 308 to /assets — file lives here.
location ~* ^/index-[A-Za-z0-9_-]+\.(js|mjs)$ {
  try_files $uri =404;
  add_header Cache-Control "public, max-age=31536000, immutable" always;
}

location / {
  try_files $uri $uri/ /index.html;
}