# ============================================================
# Nginx 虚拟主机配置示例
# ============================================================
#
# 功能说明:
# - 单进程多域名配置
# - 不同域名独立配置（SSL、代理、静态文件）
# - 基于域名和端口的多服务
#
# Lolly 对应配置:
# servers:
#   - listen: ":8080"
#     name: "api.example.com"
#     proxy:
#       - path: "/api"
#         targets:
#           - url: "http://backend:8080"
#     ssl:
#       cert: "/path/to/api.cert.pem"
#       key: "/path/to/api.key.pem"
#   - listen: ":8443"
#     name: "static.example.com"
#     static:
#       - path: "/"
#         root: "/var/www/static"
# ============================================================

# API 服务虚拟主机
server {
    listen 80;
    listen 443 ssl http2;
    server_name api.example.com;

    # SSL 配置
    # Lolly 对应: ssl 配置块
    ssl_certificate /etc/nginx/ssl/api.example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/api.example.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # HTTP to HTTPS 重定向
    # Lolly 对应: 可通过 ssl 配置自动处理
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }

    # API 代理
    location / {
        proxy_pass http://api-backend:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # 健康检查端点
    location /health {
        proxy_pass http://api-backend:8080/health;
        access_log off;
    }
}

# 静态文件服务虚拟主机
server {
    listen 80;
    listen 443 ssl http2;
    server_name static.example.com www.static.example.com;

    ssl_certificate /etc/nginx/ssl/static.example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/static.example.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;

    root /var/www/static;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }

    # 静态资源缓存
    location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
        expires 7d;
        add_header Cache-Control "public";
    }

    # 禁止访问隐藏文件
    location ~ /\. {
        deny all;
    }
}

# 管理后台虚拟主机（端口区分）
server {
    listen 8080;
    server_name admin.example.com;

    # IP 访问控制
    # Lolly 对应: security.access 配置
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;

    location / {
        proxy_pass http://admin-backend:3000;
        proxy_set_header Host $host;
    }
}

# 后端服务器组
upstream api-backend {
    server api1:8080;
    server api2:8080;
    keepalive 16;
}

upstream admin-backend {
    server admin:3000;
}