# Nginx HTTPS 反向代理配置
# 将此配置放到服务器的 /etc/nginx/sites-available/ 目录下

# HTTP 重定向到 HTTPS
server {
    listen 80;
    server_name 104.244.91.212;
    
    # 重定向所有 HTTP 请求到 HTTPS
    return 301 https://$server_name$request_uri;
}

# HTTPS 服务器
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 104.244.91.212;
    
    # SSL 证书配置（需要先生成证书）
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    
    # SSL 配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    
    # 日志
    access_log /var/log/nginx/api_access.log;
    error_log /var/log/nginx/api_error.log;
    
    # CORS 头（可选，因为后端已经处理了 CORS）
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
    
    # 处理预检请求
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
    }
    
    # API 代理（端口 8060）
    location /api/ {
        proxy_pass http://127.0.0.1:8060;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # WebSocket 支持（如果需要）
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        # 超时配置
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
    
    # 健康检查
    location /health {
        proxy_pass http://127.0.0.1:8060;
        proxy_set_header Host $host;
    }
    
    # 根路径
    location / {
        proxy_pass http://127.0.0.1:8060;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# ====================================
# 部署步骤：
# ====================================
# 1. 生成自签名证书（开发/测试环境）：
#    sudo mkdir -p /etc/nginx/ssl
#    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
#      -keyout /etc/nginx/ssl/server.key \
#      -out /etc/nginx/ssl/server.crt \
#      -subj "/C=US/ST=State/L=City/O=Organization/CN=104.244.91.212"
#
# 2. 复制此配置文件：
#    sudo cp nginx-https-proxy.conf /etc/nginx/sites-available/api-https
#    sudo ln -s /etc/nginx/sites-available/api-https /etc/nginx/sites-enabled/
#
# 3. 测试配置：
#    sudo nginx -t
#
# 4. 重启 Nginx：
#    sudo systemctl restart nginx
#
# 5. 确保防火墙允许 443 端口：
#    sudo ufw allow 443/tcp
#
# ====================================
# 注意事项：
# ====================================
# - 自签名证书会在浏览器中显示安全警告
# - 生产环境建议使用 Let's Encrypt 免费证书
# - 如果使用域名，将 server_name 改为域名