#!/bin/bash

echo "========================================"
echo "  配置 HTTPS 反向代理"
echo "========================================"
echo ""

# 检查是否为 root 用户
if [ "$EUID" -ne 0 ]; then 
    echo "❌ 请使用 sudo 运行此脚本"
    echo "   sudo bash setup-https.sh"
    exit 1
fi

echo "📋 步骤 1/5: 创建 SSL 证书目录"
mkdir -p /etc/nginx/ssl
echo "✓ 目录已创建: /etc/nginx/ssl"
echo ""

echo "📋 步骤 2/5: 生成自签名 SSL 证书"
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/nginx/ssl/server.key \
  -out /etc/nginx/ssl/server.crt \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=104.244.91.212"

if [ $? -eq 0 ]; then
    echo "✓ SSL 证书生成成功"
else
    echo "❌ SSL 证书生成失败"
    exit 1
fi
echo ""

echo "📋 步骤 3/5: 配置 Nginx"
# 检查配置文件是否存在
if [ ! -f "nginx-https-proxy.conf" ]; then
    echo "❌ 找不到 nginx-https-proxy.conf 文件"
    echo "   请确保在项目根目录运行此脚本"
    exit 1
fi

# 复制配置文件
cp nginx-https-proxy.conf /etc/nginx/sites-available/api-https
ln -sf /etc/nginx/sites-available/api-https /etc/nginx/sites-enabled/

echo "✓ Nginx 配置已更新"
echo ""

echo "📋 步骤 4/5: 测试 Nginx 配置"
nginx -t

if [ $? -eq 0 ]; then
    echo "✓ Nginx 配置测试通过"
else
    echo "❌ Nginx 配置测试失败，请检查配置文件"
    exit 1
fi
echo ""

echo "📋 步骤 5/5: 重启 Nginx"
systemctl restart nginx

if [ $? -eq 0 ]; then
    echo "✓ Nginx 已重启"
else
    echo "❌ Nginx 重启失败"
    exit 1
fi
echo ""

echo "========================================"
echo "  配置防火墙"
echo "========================================"
echo ""

# 检查 ufw 是否安装
if command -v ufw &> /dev/null; then
    echo "配置防火墙允许 443 端口..."
    ufw allow 443/tcp
    echo "✓ 防火墙已配置"
else
    echo "⚠️  未检测到 ufw，请手动配置防火墙允许 443 端口"
fi
echo ""

echo "========================================"
echo "  验证配置"
echo "========================================"
echo ""

echo "测试 HTTPS 连接..."
sleep 2

# 测试健康检查
if curl -k -s https://127.0.0.1:8060/health > /dev/null 2>&1; then
    echo "✓ HTTPS 健康检查成功"
else
    echo "⚠️  HTTPS 健康检查失败，请检查后端服务是否运行"
fi
echo ""

echo "========================================"
echo "  配置完成！"
echo "========================================"
echo ""
echo "✅ HTTPS 已成功配置"
echo ""
echo "📝 接下来的步骤："
echo "1. 确保后端服务运行在 8060 端口"
echo "2. 访问 https://104.244.91.212:8060/health 测试"
echo "3. 如果看到安全警告，点击'高级' → '继续访问'"
echo "4. 前端会自动使用 HTTPS API"
echo ""
echo "🔍 查看日志："
echo "   sudo tail -f /var/log/nginx/api_error.log"
echo ""
echo "⚠️  注意："
echo "   - 自签名证书会在浏览器显示警告"
echo "   - 生产环境建议使用 Let's Encrypt 证书"
echo ""