worker_processes 1;
events {
    worker_connections 1024;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    client_max_body_size 100M;
    
    upstream django {
        server 127.0.0.1:8000;
    }
    
    server {
        listen 80;
        server_name localhost;
        
        location / {
            proxy_pass http://django;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        
        location /static/ {
            alias /code/staticfiles/;
        }
        
        # Special handling for PDF files with CSP headers
        location ~ ^/protectedMedia/(.*)\.pdf$ {
            internal;
            alias /code/media/$1.pdf;
            add_header Content-Security-Policy "default-src 'self'; script-src 'none'; object-src 'none'; base-uri 'none'" always;
            add_header X-Content-Type-Options nosniff always;
            add_header X-Frame-Options SAMEORIGIN always;
            add_header Content-Disposition "inline" always;
        }
        
        # General protected media files (non-PDF)
        location ~ ^/protectedMedia/(.*)$ {
            internal;
            alias /code/media/$1;
        }
    }
}