server {
    listen 80;
    server_name localhost;
    root /usr/share/nginx/html;
    index index.html index.htm;

    # Logs
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Servir archivos estáticos PRIMERO (antes de proxy usuarios)
    location ~ ^/(images|lib|css|js|fonts|locale|calendar)/ {
        try_files $uri =404;

        # No cache para desarrollo
        add_header Cache-Control "no-store, no-cache, must-revalidate";
        add_header Pragma "no-cache";
        expires -1;
    }

    # Proxy para Radicale según documentación oficial
    location /radicale/ {
        proxy_pass http://radicale:5232/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Script-Name /radicale;
        proxy_set_header X-Forwarded-Prefix /radicale;
        proxy_set_header Authorization $http_authorization;
        proxy_pass_request_headers on;

        # Configuraciones de proxy para evitar truncamiento
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_http_version 1.1;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
        client_max_body_size 10M;
        proxy_max_temp_file_size 0;

        # Headers WebDAV específicos
        proxy_set_header Depth $http_depth;
        proxy_set_header Destination $http_destination;
        proxy_set_header Overwrite $http_overwrite;

        # CORS headers para WebDAV
        add_header Access-Control-Allow-Origin "*" always;
        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, REPORT" always;
        add_header Access-Control-Allow-Headers "Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Authorization, Destination, Overwrite" always;
        add_header Access-Control-Expose-Headers "ETag, DAV" always;
        add_header Access-Control-Allow-Credentials "true" always;

        # Preflight requests
        if ($request_method = OPTIONS) {
            return 204;
        }
    }

    # Servir archivos estáticos de InfCloud
    location / {
        try_files $uri $uri/ /index.html;

        # No cache para desarrollo
        add_header Cache-Control "no-store, no-cache, must-revalidate";
        add_header Pragma "no-cache";
        expires -1;
    }

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
}