# Paste into NginxProxyManager → your proxy host → "Advanced" tab.
#
# Forward Hostname/IP and Forward Port are set normally via the UI (point at
# the LXC's internal IP, port 8080). This snippet only adds header-based auth.

# 1. API key. Replace with a long random value (>= 32 chars).
#    Generate one with:  openssl rand -hex 32
set $weircon_api_key "REPLACE_WITH_A_LONG_RANDOM_API_KEY";

# 2. Auth gate. Pass if either (a) the API key matches, or (b) it's a
#    request for the built-in /ui tester page (line below — comment it out
#    if you want the UI itself to require the key too).
set $weircon_auth_ok 0;
if ($http_x_weircon_random_ip = $weircon_api_key) { set $weircon_auth_ok 1; }
if ($request_uri ~* "^/ui($|\?|/)")               { set $weircon_auth_ok 1; }

if ($weircon_auth_ok = 0) {
    return 401;
}

# 3. Strip the auth header before forwarding — backend should never see it.
proxy_set_header X-Weircon-Random-Ip "";

# 3b. Defense in depth: never forward origin/chain headers. The fetch service
#     also strips these, but clearing them here means they never even reach it.
#     In nginx, an empty value removes the header entirely.
proxy_set_header X-Forwarded-For    "";
proxy_set_header X-Forwarded-Host   "";
proxy_set_header X-Forwarded-Proto  "";
proxy_set_header X-Forwarded-Scheme "";
proxy_set_header X-Forwarded-Port   "";
proxy_set_header X-Real-IP          "";
proxy_set_header Forwarded          "";
proxy_set_header Via                "";

# 4. Generous timeouts: upstream fetches can be slow.
proxy_connect_timeout 15s;
proxy_send_timeout    60s;
proxy_read_timeout    60s;

# 5. No buffering — let the body stream through.
proxy_buffering         off;
proxy_request_buffering off;
proxy_http_version      1.1;

# 6. Higher body cap in case you ever POST something heavy.
client_max_body_size 32m;