events {
    worker_connections 1024;
}

http {
    # Use Docker's built-in DNS (127.0.0.11) for service name resolution
    # This allows nginx to resolve Docker service names like "tinyauth" and "oidc-whoami"
    resolver 127.0.0.11 valid=10s;
    resolver_timeout 5s;

    server {
        listen 80;
        server_name auth.example.com;

        location / {
            # Use variable to enable dynamic resolution at request time
            set $backend "tinyauth:3000";
            proxy_pass http://$backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host;
        }
    }

    server {
        listen 80;
        server_name client.example.com;

        location / {
            # Use variable to enable dynamic resolution at request time
            set $backend "oidc-whoami:8765";
            proxy_pass http://$backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host;
        }
    }
}