# Nginx reverse proxy for LLM Gateway
# Place at: /etc/nginx/sites-available/llm-gateway
# Enable:   ln -s /etc/nginx/sites-available/llm-gateway /etc/nginx/sites-enabled/
# Reload:   nginx -t && systemctl reload nginx
#
# NOTE: If using Cloudflare Tunnel, nginx is optional.
#       The tunnel connects directly to localhost:3100.

upstream llm_gateway {
    server localhost:3100;
    keepalive 32;
}

server {
    listen 80;
    server_name llm-gateway.context-x.org;

    # Security headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";

    # Don't leak nginx version
    server_tokens off;

    location / {
        proxy_pass http://llm_gateway;

        # Timeouts: 130s to handle large LLM responses without proxy interruption
        proxy_read_timeout    130s;
        proxy_connect_timeout 10s;
        proxy_send_timeout    130s;

        # Standard proxy headers
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Keep-alive to upstream
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        # Buffer streaming responses (LLMs can stream tokens)
        proxy_buffering off;
    }

    # Health endpoint — no logging (noisy in monitoring)
    location /health {
        proxy_pass http://llm_gateway/health;
        access_log off;
    }
}