user  www-data;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /run/nginx.pid;

include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections  1024;
}

stream {
    # Map SNI to upstream
    map $ssl_preread_server_name $upstream {
        gateway.fluxer.app      127.0.0.1:9443;  # caddy-gateway via host port
        default                 127.0.0.1:8443;  # main caddy via host port
    }

    # HTTPS SNI router on 443, IPv4 + IPv6
    server {
        listen 443;
        listen [::]:443;
        proxy_pass $upstream;
        ssl_preread on;
        proxy_protocol on;

        proxy_connect_timeout 60s;
        proxy_timeout 1h;
        proxy_buffer_size 16k;
    }

    # HTTP passthrough to main Caddy on 80
    server {
        listen 80;
        listen [::]:80;
        proxy_pass 127.0.0.1:8080;
        proxy_protocol on;

        proxy_connect_timeout 60s;
        proxy_timeout 1h;
        proxy_buffer_size 16k;
    }
}