# ============================================================
# Nginx Basic 认证配置示例
# ============================================================
#
# 功能说明:
# - HTTP Basic 认证
# - 用户名密码保护
# - 支持 bcrypt 和 argon2id 密码哈希
#
# Lolly 对应配置:
# server:
#   security:
#     auth:
#       type: "basic"
#       require_tls: true  # 强制 HTTPS
#       algorithm: "bcrypt"  # 或 "argon2id"
#       users:
#         - username: "admin"
#           password: "$2a$10$..."  # bcrypt 哈希
#         - username: "user"
#           password: "$argon2id$..."  # argon2id 哈希
#       realm: "Restricted Area"
#       min_password_length: 8
# ============================================================

# 密码文件格式（htpasswd）
# 使用 htpasswd 或 openssl 生成

# 用户文件示例
# admin:$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZRGdjGj/n3.qOe.e.r.k
# user:$6$rounds=5000$salt$hashedpassword

http {
    server {
        listen 80;
        server_name auth.example.com;

        # 整个站点认证
        # Lolly 对应: security.auth 配置块
        auth_basic "Restricted Area";
        auth_basic_user_file /etc/nginx/.htpasswd;

        location / {
            proxy_pass http://backend:8080;
        }

        # 特定路径认证
        location /admin {
            auth_basic "Admin Area";
            auth_basic_user_file /etc/nginx/.admin_htpasswd;

            proxy_pass http://admin-backend:8080;
        }

        # 部分路径无需认证
        location /public {
            auth_basic off;  # 禁用认证

            proxy_pass http://backend:8080;
        }
    }

    # 强制 HTTPS 认证
    server {
        listen 443 ssl;
        server_name auth.example.com;

        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

        # Lolly 对应: security.auth.require_tls: true
        auth_basic "Secure Area";
        auth_basic_user_file /etc/nginx/.htpasswd;

        location / {
            proxy_pass http://backend:8080;
        }
    }

    # HTTP 重定向到 HTTPS
    server {
        listen 80;
        server_name auth.example.com;

        # 强制 HTTPS
        return 301 https://$host$request_uri;
    }
}

# 密码生成说明:
#
# 1. 使用 htpasswd 工具:
#    htpasswd -c /etc/nginx/.htpasswd admin
#    htpasswd -B /etc/nginx/.htpasswd admin  # bcrypt
#    htpasswd -C 10 /etc/nginx/.htpasswd admin  # bcrypt cost=10
#
# 2. 使用 openssl:
#    openssl passwd -apr1 "password"  # APR1 (MD5-based)
#    openssl passwd -6 "password"     # SHA-512
#
# 3. 使用 Python (bcrypt):
#    import bcrypt
#    hashed = bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10))
#
# 4. 使用 Go (argon2id):
#    Lolly 默认支持 argon2id 和 bcrypt
#
# 5. 密码格式:
#    bcrypt: $2a$10$salt$hash
#    argon2id: $argon2id$v=19$m=65536,t=3,p=2$salt$hash
#    APR1: $apr1$salt$hash
#    SHA-512: $6$salt$hash

# 认证错误页面
server {
    error_page 401 = @auth_required;
    location @auth_required {
        default_type application/json;
        return 401 '{"error": "Authentication required"}';
    }
}