server {
  root /var/www/html;

  # Add index.php to the list if you are using PHP
  index index.html index.htm index.nginx-debian.html;

  server_name yummers.dev www.yummers.dev;

  # Security headers
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header Referrer-Policy "strict-origin-when-cross-origin" always;

  location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
  }

  # Add WebSocket proxy for HR proxy server
  location /hrproxy {
    proxy_pass https://127.0.0.1:2096;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    include snippets/proxy-headers.conf;
    proxy_read_timeout 300s;
    proxy_send_timeout 300s;
    proxy_buffering off;
  }

  # OBS Proxy API endpoints
  location /api/ {
    limit_req zone=api_limit burst=20 nodelay;

    proxy_pass http://127.0.0.1:5000;
    include snippets/proxy-headers.conf;
  }

  # OBS Proxy HLS playlist + segments
  location /hls/ {
    limit_req zone=hls_limit burst=200 nodelay;

    alias /var/www/streams/live/;
    add_header Access-Control-Allow-Origin "*" always;

    # Playlist files (.m3u8) should not be cached - they change constantly
    location ~ \.m3u8$ {
      add_header Cache-Control "no-cache, no-store, must-revalidate" always;
      add_header Access-Control-Allow-Origin "*" always;
    }

    # Key files must never be cached client-side
    location ~ \.key$ {
      add_header Cache-Control "no-cache, no-store, must-revalidate" always;
      add_header Access-Control-Allow-Origin "*" always;
    }

    # Segment files (.ts) can be cached - they're immutable
    location ~ \.ts$ {
      add_header Cache-Control "public, max-age=30" always;
      add_header Access-Control-Allow-Origin "*" always;
    }

    autoindex off;
    limit_except GET HEAD {
      deny all;
    }
  }

  # Add RTMP callbacks route (internal only)
  location /rtmp_callbacks/ {
    allow 127.0.0.1;
    deny all;

    proxy_pass http://127.0.0.1:5000;
    include snippets/proxy-headers.conf;
  }

  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/yummers.dev/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/yummers.dev/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
  if ($host = www.yummers.dev) {
    return 301 https://$host$request_uri;
  } # managed by Certbot


  if ($host = yummers.dev) {
    return 301 https://$host$request_uri;
  } # managed by Certbot


  listen 80;
  listen [::]:80;

  server_name yummers.dev www.yummers.dev;
  return 404; # managed by Certbot
}