# Wildcard subdomain routing for Nexus POS
# DNS: *.nexusautoparts.com -> server IP (Cloudflare wildcard)

# Rate limiting zone
limit_req_zone $binary_remote_addr zone=pos_login:10m rate=10r/s;

# Upstream backends
upstream nexus_main {
    server 127.0.0.1:5000;
}

upstream nexus_pos {
    server 127.0.0.1:5001;
}

# Main site (no subdomain)
server {
    listen 80;
    server_name nexusautoparts.com www.nexusautoparts.com;

    location / {
        proxy_pass http://nexus_main;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# POS subdomains (wildcard)
server {
    listen 80;
    server_name ~^(?<tenant>.+)\.nexusautoparts\.com$;

    # Security headers
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options SAMEORIGIN always;

    location / {
        proxy_pass http://nexus_pos;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Tenant-Subdomain $tenant;
    }

    # Rate limit login endpoint
    location /pos/api/auth/login {
        limit_req zone=pos_login burst=5 nodelay;
        proxy_pass http://nexus_pos;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Tenant-Subdomain $tenant;
    }
}