# pdftract nginx reverse-proxy configuration example
#
# DEPLOYMENT MODEL:
# This config assumes pdftract serve is bound to 127.0.0.1:8080 with NO AUTHENTICATION.
# nginx provides TLS termination, HTTP Basic Authentication, and acts as the security boundary.
# The pdftract server itself should never be exposed directly to the internet.
#
# USAGE:
# 1. Replace pdftract.example.com with your actual hostname
# 2. Update SSL certificate paths to your actual certs
# 3. Generate htpasswd file: htpasswd -c /etc/nginx/htpasswd-pdftract yourusername
# 4. Test: nginx -t -c /etc/nginx/conf.d/pdftract.conf
# 5. Reload: nginx -s reload
#
# SECURITY NOTES:
# - /health endpoint is exempt from auth (allows monitoring scrapes)
# - Only /extract and /health are proxied; all other paths return 404
# - pdftract serve MUST bind to 127.0.0.1, not 0.0.0.0

upstream pdftract_backend {
    server 127.0.0.1:8080;
    keepalive 32;
}

server {
    listen 443 ssl;
    server_name pdftract.example.com;

    ssl_certificate     /etc/ssl/certs/pdftract.crt;
    ssl_certificate_key /etc/ssl/private/pdftract.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    client_max_body_size 256m;
    proxy_read_timeout 300s;

    auth_basic           "pdftract";
    auth_basic_user_file /etc/nginx/htpasswd-pdftract;

    location /extract {
        proxy_pass http://pdftract_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /health {
        proxy_pass http://pdftract_backend;
        auth_basic off;  # monitoring should not need credentials
        access_log off;
    }

    # Deny everything else
    location / { return 404; }
}