server {
    listen 80;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;

    # Gzip compression
    gzip on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    # API and WebSocket requests must never reach nginx — Traefik routes them to backend.
    # If they do arrive here, return 502 so the misconfiguration is visible.
    location /api/ {
        return 502 "nginx should not serve /api — check Traefik routing priorities";
    }
    location /socket.io/ {
        return 502 "nginx should not serve /socket.io — check Traefik routing priorities";
    }

    # SPA fallback — all other paths serve index.html (never cached)
    location / {
        try_files $uri $uri/ /index.html;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    # Cache static assets aggressively
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    # Never cache index.html
    location = /index.html {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }
}