server {
    listen 80;
    server_name survey.atomic6.net;

    # Let's Encrypt challenge path
    location /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
        try_files $uri =404;
    }

    # Redirect all other traffic to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    http2 on;
    server_name survey.atomic6.net;
    add_header X-Debug-Server "survey-config";

    ssl_certificate /etc/letsencrypt/live/survey.atomic6.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/survey.atomic6.net/privkey.pem;

    # LimeSurvey proxy
    location / {
        proxy_pass http://192.168.1.208:8080;

        # CRITICAL HEADERS for LimeSurvey
        proxy_set_header Host $host;
        proxy_set_header Accept-Encoding "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port 443;

        # LimeSurvey specific headers
        proxy_set_header X-Url-Scheme $scheme;
        proxy_set_header X-Forwarded-Ssl on;

        # Timeouts
        proxy_connect_timeout 300s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;
    }

    # Cache static files
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        proxy_pass http://192.168.1.208:8080;
        proxy_set_header Host $host;
        proxy_set_header Accept-Encoding "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}