include apigw_backends.conf;
include apigw_keys.conf;

server {
    access_log /var/log/nginx/apigw_access.log main;
        error_log /var/log/nginx/apigw_error.log warn;

    listen 80;
    # listen 443 ssl;
    # server_name apigw_svc; # container name from stack config
    # server_name api.example.com;

    # TLS config
    # ssl_certificate      /etc/ssl/certs/apigw.example.com.crt;
    # ssl_certificate_key  /etc/ssl/private/apigw.example.com.key;
    # ssl_session_cache    shared:SSL:10m;
    # ssl_session_timeout  5m;
    # ssl_ciphers          HIGH:!aNULL:!MD5;
    # ssl_protocols        TLSv1.2 TLSv1.3;

    # API definitions, one per file
    include apigw_conf.d/*.conf;

    # Error responses
    # error_page 404 = @400;         # Treat invalid paths as bad requests
    proxy_intercept_errors on;     # Do not send backend errors to client
    include apigw_json_errors.conf;  # API client-friendly JSON errors
    default_type application/json; # If no content-type, assume JSON

    # API key validation
    location = /_validate_apikey {
        internal;

        if ($http_apikey = "") {
            return 401; # Unauthorized
        }
        if ($apigw_client_name = "") {
            return 403; # Forbidden
        }

        return 204; # OK (no content)
    }
}