# /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    ##
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    server_tokens off;                      # hide version

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # TLS Defaults (site blocks can override)
    ##
    ssl_protocols TLSv1.2 TLSv1.3;          # drop TLSv1.0/1.1
    ssl_prefer_server_ciphers on;

    ##
    # Logging (JSON)
    ##
    log_format json escape=json
      '{ "time":"$time_iso8601", "remote_addr":"$remote_addr", "request":"$request", '
      '"status":$status, "body_bytes_sent":$body_bytes_sent, '
      '"referer":"$http_referer", "ua":"$http_user_agent", '
      '"request_time":$request_time, "upstream_time":"$upstream_response_time", '
      '"host":"$host", "uri":"$uri" }';

    access_log /var/log/nginx/access.json json;

    ##
    # Gzip (safe defaults)
    ##
    gzip on;
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_vary on;
    gzip_proxied any;
    gzip_types
        text/plain text/css text/javascript application/javascript application/json
        application/xml application/rss+xml image/svg+xml font/ttf font/otf;

    ##
    # Rate/Conn limit zones (used in site file)
    ##
    limit_req_zone $binary_remote_addr zone=api_rps:10m rate=5r/s;
    limit_conn_zone $binary_remote_addr zone=perip:10m;

    ##
    # AI bot block map (optional; enforce in server with: if ($block_ai) { return 403; })
    ##
    map $http_user_agent $block_ai {
        default 0;
        ~*(GPTBot|ChatGPT-User|OAI-SearchBot|CCBot|ClaudeBot|PerplexityBot) 1;
    }

    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}