# /etc/nginx/sites-available/puffinoffset.com

# 1) Redirect all HTTP to HTTPS, except the ACME challenge path
server {
    listen 80;
    server_name puffinoffset.com;

    # Allow certbot to do HTTP-01 challenges
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;            # adjust if your webroot differs
        try_files $uri =404;
    }

    # Redirect everything else to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

# 2) HTTPS server block: reverse-proxy to your Docker app on localhost:3800
server {
    listen 443 ssl http2;
    server_name puffinoffset.com;

    # === SSL certs from Let's Encrypt ===
#    ssl_certificate     /etc/letsencrypt/live/puffinoffset.com/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/puffinoffset.com/privkey.pem;
    include             /etc/letsencrypt/options-ssl-nginx.conf;   # from certbot
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;         # from certbot

    # === Proxy all traffic to your Node app ===
    location / {
        proxy_pass         http://127.0.0.1:3800;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        # increase timeouts if your app sometimes takes longer to respond:
        proxy_read_timeout 90;
    }

    # Optional: serve static assets directly if you ever add any here
    # location /static/ {
    #     root /var/www/puffinoffset.com;
    #     try_files $uri $uri/ =404;
    # }
}