events {}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # ------------------ upstreams (one line to edit per container) ----------
    upstream backend5000 { server server1:5000; }   # auth & free
    upstream backend5001 { server server2:5001; }   # onet, distance, etc.
    upstream backend5002 { server server3:5002; }   # premium

    # -----------------------------------------------------------------------
    #  1.  HTTP → HTTPS redirect
    # -----------------------------------------------------------------------
    server {
        listen 80;
        listen [::]:80;
        server_name dev1.aptivaai.com;
        return 301 https://$host$request_uri;
    }

    # -----------------------------------------------------------------------
    #  2.  Main virtual host on :443
    # -----------------------------------------------------------------------
    server {
        listen 443 ssl http2;
        server_name dev1.aptivaai.com;

        # ---------- TLS -----------------------------------------------------
        ssl_certificate     /etc/letsencrypt/live/dev1.aptivaai.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/dev1.aptivaai.com/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;

        # ---------- React static assets -------------------------------------
        root /usr/share/nginx/html;
        index index.html;
        location / {
            try_files $uri $uri/ /index.html;
        }
        location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg)$ {
            expires 6M;
            access_log off;
        }

        # -------------------------------------------------------------------
        #  3.  API reverse‑proxy rules  (three prefixes = three back‑ends)
        # -------------------------------------------------------------------

        ## 3A  server2 – career, maps, onet, salary, etc.
        ##     Anything that *starts* with /api/onet/ OR any one of the paths
        ##     you previously enumerated now lives here.
        location ^~ /api/onet/          { proxy_pass http://backend5001; }
        location ^~ /api/chat/          { proxy_pass http://backend5001; proxy_http_version 1.1; proxy_buffering off; }
        location ^~ /api/job-zones      { proxy_pass http://backend5001; }
        location ^~ /api/salary         { proxy_pass http://backend5001; }
        location ^~ /api/cip/           { proxy_pass http://backend5001; }
        location ^~ /api/tuition/       { proxy_pass http://backend5001; }
        location ^~ /api/projections/   { proxy_pass http://backend5001; }
        location ^~ /api/skills/        { proxy_pass http://backend5001; }
        location ^~ /api/ai-risk        { proxy_pass http://backend5001; }
        location ^~ /api/maps/distance  { proxy_pass http://backend5001; }
        location ^~ /api/schools        { proxy_pass http://backend5001; }

        ## 3B  server3 – premium & public assets handled by server3
        location ^~ /api/premium/       { proxy_pass http://backend5002; }
        location ^~ /api/public/        { proxy_pass http://backend5002; }

        ## 3C  server1 – everything else beginning with /api/
        ##     (register, signin, user‑profile, areas, activate‑premium, …)
        location ^~ /api/               { proxy_pass http://backend5000; }

        # ---------- shared proxy settings -----------------------------------
        ## Add the headers *once*; they apply to every proxy_pass above.
        proxy_set_header Host            $host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # ---------- error pages ---------------------------------------------
        error_page 502 503 504 /50x.html;
        location = /50x.html { root /usr/share/nginx/html; }
    }
}