user nginx;
worker_processes auto; # Automatically adjust worker processes based on available CPUs

events {
    worker_connections 1024; # Maximum simultaneous connections per worker
    use epoll;               # Use efficient event handling for Linux
}

http {
    # Basic security headers
    add_header X-Frame-Options SAMEORIGIN always;  # Prevent clickjacking
    add_header X-Content-Type-Options nosniff always;  # Prevent MIME-type sniffing
    add_header X-XSS-Protection "1; mode=block" always; # Enable XSS protection in browsers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # Enforce HTTPS
    add_header Content-Security-Policy "default-src 'self';" always; # Restrict resource loading to same origin

    # Timeouts
    sendfile on;                      # Enable sendfile for efficient file serving
    tcp_nopush on;                    # Reduce packet overhead
    tcp_nodelay on;                   # Minimize latency
    keepalive_timeout 65;             # Keep connections alive for 65 seconds
    client_max_body_size 10m;         # Limit request body size to 10MB
    client_body_timeout 12;           # Timeout for client body read
    client_header_timeout 12;         # Timeout for client header read

    # Compression
    gzip on;                          # Enable gzip compression
    gzip_disable "msie6";             # Disable gzip for old browsers
    gzip_vary on;                     # Add "Vary: Accept-Encoding" header
    gzip_proxied any;                 # Enable gzip for proxied requests
    gzip_comp_level 6;                # Compression level
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    # Load balancing upstream
    upstream backend {
        least_conn; # Use least connections load balancing strategy
        server server1:8880 max_fails=3 fail_timeout=5s; # Add health check for backend servers
        # Uncomment additional servers for scaling:
        server server2:8880 max_fails=3 fail_timeout=5s;
        server server3:8880 max_fails=3 fail_timeout=5s;
    }

    server {
        listen 80;

        # Redirect HTTP to HTTPS (optional)
        # Uncomment the lines below if SSL is configured:
        # listen 443 ssl;
        # ssl_certificate /path/to/certificate.crt;
        # ssl_certificate_key /path/to/private.key;

        location / {
            proxy_pass http://backend;              # Proxy traffic to the backend servers
            proxy_http_version 1.1;                # Use HTTP/1.1 for persistent connections
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr; # Forward client IP
            proxy_cache_bypass $http_upgrade;
            proxy_read_timeout 60s;                # Adjust read timeout for backend
            proxy_connect_timeout 60s;            # Adjust connection timeout for backend
            proxy_send_timeout 60s;               # Adjust send timeout for backend
        }

        # Custom error pages
        error_page 502 503 504 /50x.html;
        location = /50x.html {
            root /usr/share/nginx/html;
        }

        # Deny access to hidden files (e.g., .git)
        location ~ /\. {
            deny all;
            access_log off;
            log_not_found off;
        }
    }
}