# Redirect HTTP to HTTPS (Strongly Recommended for security)
server {
    listen 80;
    listen [::]:80;
    server_name your.domain.com; # <--- **REPLACE with your actual domain name**

    # Redirect all HTTP requests to HTTPS
    return 301 https://$host$request_uri;
}

# HTTPS Server Block for Immich
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name your.domain.com; # <--- **REPLACE with your actual domain name**

    # --- SSL Certificate Configuration ---
    # **REPLACE these paths with your actual Let's Encrypt certificate paths**
    # You can usually find these in /etc/letsencrypt/live/your.domain.com/
    ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;

    # Optional: Include common SSL settings provided by Certbot/Nginx
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # If you have one from Certbot

    # --- Nginx Proxy Configuration for Immich ---
    location / {
        # Pass all requests to your Immich server container
        # **REPLACE this with your Immich server's actual IP and port**
        # Note: The backend connection is HTTP here, as Immich typically runs HTTP internally
        proxy_pass http://immich-server-ip:3001; 

        # Crucial headers for correct proxying and authentication
        # These are mostly the same as for HTTP, but X-Forwarded-Proto is very important for HTTPS
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme; # Tells Immich the original protocol was HTTPS
        proxy_set_header Authorization $http_authorization; # THIS IS VITAL FOR AUTHENTICATION
        proxy_set_header Upgrade $http_upgrade; # Needed for WebSockets
        proxy_set_header Connection "upgrade"; # Needed for WebSockets

        # Optional: adjust proxy timeouts if you have large files or slow connections
        proxy_read_timeout 300s;
        proxy_connect_timeout 300s;
        proxy_send_timeout 300s;

        # Optional: If you see issues with large file uploads
        client_max_body_size 0; # Allows unlimited file size, or set a specific limit like 50G
    }

    # Immich also has a separate microservices container. 
    # While the main UI goes through the server, sometimes specific APIs might need direct routing.
    # This is often handled by the main proxy_pass, but if you have issues, 
    # you might need a separate location block for /api/ like this:
    #
    # location /api/ {
    #     proxy_pass http://immich-microservices-ip:3002; # REPLACE with actual IP:PORT
    #     proxy_set_header Host $host;
    #     proxy_set_header X-Real-IP $remote_addr;
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header X-Forwarded-Proto $scheme;
    #     proxy_set_header Authorization $http_authorization;
    #     proxy_set_header Upgrade $http_upgrade;
    #     proxy_set_header Connection "upgrade";
    # }
}