# Configuration HTTPS pour dev4.4nkweb.com
server {
    listen 443 ssl;
    http2 on;
    server_name dev4.4nkweb.com;

    # Certificats SSL
    ssl_certificate     /etc/letsencrypt/live/dev4.4nkweb.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev4.4nkweb.com/privkey.pem;

    # Configuration SSL
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Headers de sécurité
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Grafana - Interface de monitoring (DOIT être avant location /)
    include $NGINX_CONF_DIR/route_grafana.conf;

    # Loki API - API de logs (DOIT être avant location /)
    include $NGINX_CONF_DIR/route_loki.conf;

    # Page de statut des services (DOIT être avant location /)
    include $NGINX_CONF_DIR/route_status.conf;
    include $NGINX_CONF_DIR/route_status_redirect.conf;
    include $NGINX_CONF_DIR/route_status_api.conf;

    # API backend - route /back/ vers /api/ du backend
    include $NGINX_CONF_DIR/route_back_proxy.conf;

    # WebSocket relay (sdk_relay)
    include $NGINX_CONF_DIR/route_ws.conf;

    # favicon
    include $NGINX_CONF_DIR/route_favicon.conf;

    # blindbit
    include $NGINX_CONF_DIR/route_blindbit.conf;

    # lecoffre-front - Application LeCoffre
    include $NGINX_CONF_DIR/route_lecoffre_redirect.conf;
    include $NGINX_CONF_DIR/route_lecoffre.conf;
    include $NGINX_CONF_DIR/route_lecoffre_hmr.conf;
    include $NGINX_CONF_DIR/route_next_assets.conf;


    # ihm_client (root) - DOIT être en dernier

    include $NGINX_CONF_DIR/route_ihm_client.conf;
}