# Docker Registry Nginx Configuration
# Port 443: Unauthenticated pulls (GET requests only)
# Port 4443: Authenticated operations (login, logout, push, delete, etc.)

# Upstream Docker Registry
upstream registry {
    server registry:5000;
}

# HTTP server for unauthenticated pulls on port 443
server {
    listen 443 ssl http2;
    server_name _;

    # SSL Configuration
    ssl_certificate /etc/registry/certs/registry.crt;
    ssl_certificate_key /etc/registry/certs/private/registry.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Block all write operations explicitly
    if ($request_method !~ ^(GET|HEAD)$) {
        return 405 "Method Not Allowed";
    }

    # Allow all GET requests to v2 API (Docker Registry itself will handle security)
    location /v2/ {
        proxy_pass http://registry;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 900;
        proxy_connect_timeout 60;
        proxy_send_timeout 60;
    }

    # Health check endpoint
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }

    # Default location - deny all
    location / {
        return 404;
    }

    # Logging
    access_log /var/log/nginx/registry_access.log;
    error_log /var/log/nginx/registry_error.log;
}

# HTTPS server for authenticated operations on port 4443
server {
    listen 4443 ssl http2;
    server_name _;

    # SSL Configuration
    ssl_certificate /etc/registry/certs/registry.crt;
    ssl_certificate_key /etc/registry/certs/private/registry.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Basic authentication for write operations
    location ~ ^/v2/.*$ {
        # Require auth for all v2 API operations
        auth_basic "Docker Registry";
        auth_basic_user_file /etc/nginx/.htpasswd;

        proxy_pass http://registry;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 900;
        proxy_connect_timeout 60;
        proxy_send_timeout 60;
    }

    # Default location - deny all
    location / {
        return 404;
    }

    # Logging
    access_log /var/log/nginx/registry_auth_access.log;
    error_log /var/log/nginx/registry_auth_error.log;
}

# Redirect HTTP to HTTPS (optional - for port 80 if needed)
server {
    listen 80;
    server_name _;
    return 301 https://$server_name$request_uri;
}