server {
    server_name iiko-app.dev.xserver.su;

    # HSTS (защита от понижения HTTPS)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Защитные заголовки
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy strict-origin-when-cross-origin;

    location / {
        allow 80.68.9.83;
        allow 185.51.125.202;

        # Локальные сети
        allow 192.168.0.0/16;    # 192.168.0.0 - 192.168.255.255
        allow 10.0.0.0/8;        # 10.0.0.0 - 10.255.255.255
        allow 172.16.0.0/12;     # 172.16.0.0 - 172.31.255.255

        allow fd00::/8;          # IPv6 ULA (аналог приватных IPv4)
        allow fe80::/10;         # IPv6 link-local

        # Localhost
        allow 127.0.0.0/8;       # 127.0.0.0 - 127.255.255.255
        allow ::1;               # IPv6 localhost

        # Docker сети (если используете)
        allow 172.17.0.0/16;
        allow 172.18.0.0/16;

        deny all;

        proxy_pass         http://127.0.0.1:7104;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }

    location /phpmyadmin/ {
        allow 80.68.9.83;
        allow 185.51.125.202;

        # Локальные сети
        allow 192.168.0.0/16;    # 192.168.0.0 - 192.168.255.255
        allow 10.0.0.0/8;        # 10.0.0.0 - 10.255.255.255
        allow 172.16.0.0/12;     # 172.16.0.0 - 172.31.255.255

        allow fd00::/8;          # IPv6 ULA (аналог приватных IPv4)
        allow fe80::/10;         # IPv6 link-local

        # Localhost
        allow 127.0.0.0/8;       # 127.0.0.0 - 127.255.255.255
        allow ::1;               # IPv6 localhost

        # Docker сети (если используете)
        allow 172.17.0.0/16;
        allow 172.18.0.0/16;

        deny all;

        proxy_pass http://127.0.0.1:7102/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/iiko-app.dev.xserver.su/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/iiko-app.dev.xserver.su/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = iiko-app.dev.xserver.su) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    server_name iiko-app.dev.xserver.su;
    return 404;
}