# 爱鉴花小程序后端API服务Nginx配置
# 域名: wapi.aijianhua.com
# SSL证书配置

upstream aijianhua_backend {
    server 127.0.0.1:3330;
    keepalive 64;
}

server {
    listen 80;
    server_name wapi.aijianhua.com;
    
    # HTTP重定向到HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name wapi.aijianhua.com;
    
    # SSL证书配置 - 需要替换为实际证书路径
    ssl_certificate /etc/nginx/ssl/wapi.aijianhua.com.crt;
    ssl_certificate_key /etc/nginx/ssl/wapi.aijianhua.com.key;
    
    # SSL优化配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    
    # 安全头
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    
    # 静态文件服务配置
    location /uploads/ {
        alias /data/nodejs/aijianhua/uploads/;
        expires 30d;
        add_header Cache-Control "public, immutable";
        
        # 安全限制
        client_max_body_size 50M;
        
        # 防盗链
        valid_referers none blocked server_names ~(\.aijianhua\.com$);
        if ($invalid_referer) {
            return 403;
        }
    }
    
    # API代理配置
    location /api/ {
        proxy_pass http://aijianhua_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # 超时配置
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        
        # 缓冲区配置
        proxy_buffering on;
        proxy_buffer_size 16k;
        proxy_buffers 4 32k;
        
        # 禁用缓存
        proxy_cache off;
    }
    
    # Swagger文档
    location /api-docs/ {
        proxy_pass http://aijianhua_backend/api-docs/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    # 健康检查
    location /health {
        proxy_pass http://aijianhua_backend/health;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        access_log off;
    }
    
    # 根路径重定向到API文档
    location = / {
        return 302 /api-docs;
    }
    
    # 日志配置
    access_log /var/log/nginx/aijianhua_access.log main;
    error_log /var/log/nginx/aijianhua_error.log warn;
}

# 安全配置
# 禁止访问隐藏文件
location ~ /\.(?!well-known) {
    deny all;
}

# 禁止访问敏感文件
location ~* \.(env|git|sql|bak|old|orig|save|swp)$ {
    deny all;
}