worker_processes 1;

env KEYCLOAK_CLIENT_SECRET;
env KEYCLOAK_LOGOUT_URL;

events {
  worker_connections 1024;
}

http {
  resolver 192.168.21.2 ipv6=off;

  lua_package_path "/usr/local/openresty/lualib/?.lua;;";

  lua_shared_dict discovery 1m;
  lua_shared_dict jwks 1m;
  lua_shared_dict sessions 10m;

  include       mime.types;
  default_type  application/octet-stream;
  sendfile        on;
  keepalive_timeout  65;

  server {
    listen 80;

    # Public route: /auth selection page, no login required
    location /auth {
      proxy_pass http://main-website:3000;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Used by OpenID redirect after login
    location = /redirect_uri {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
    }

    # Full logout: clears local session and redirects to Keycloak logout
    location = /logout {
      limit_except GET POST { deny all; }

      access_by_lua_block {
        local session = require("resty.session").start()
        local id_token = session.data and session.data.id_token
        session:destroy()

        local redirect_uri = "https://demo.rhein-software.dev"
        local logout_url = "https://sso.rhein-software.dev/realms/rheinsw/protocol/openid-connect/logout"
                         .. "?post_logout_redirect_uri=" .. ngx.escape_uri(redirect_uri)

        if id_token then
          logout_url = logout_url .. "&id_token_hint=" .. ngx.escape_uri(id_token)
        end

        return ngx.redirect(logout_url)
      }
    }

    # Protected main site
    location / {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;

      proxy_pass http://main-website:3000;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Protected demo route (example)
    location /lawfirm/demo1/ {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;

      rewrite ^/lawfirm/demo1(/.*)$ $1 break;
      proxy_pass http://ld1:3000;

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /lawfirm/demo2/ {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;

      rewrite ^/lawfirm/demo2(/.*)$ $1 break;
      proxy_pass http://ld2:3000;

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /lawfirm/demo3/ {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;

      rewrite ^/lawfirm/demo3(/.*)$ $1 break;
      proxy_pass http://tld1:3000;

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Add more locations as needed for other demos
  }
}