# yh_web 反向代理：强制 HTTPS，SSL 证书按域名存放在独立目录
# 证书路径：/etc/ssl/yh_web/yuheng.yuxindazhineng.com/
# 部署：复制到 /etc/nginx/conf.d/ 或 include 到 nginx.conf 后 nginx -t && systemctl reload nginx

# HTTP → HTTPS 强制跳转
server {
    listen 80;
    listen [::]:80;
    server_name yuheng.yuxindazhineng.com;
    return 301 https://$server_name$request_uri;
}

# HTTPS
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yuheng.yuxindazhineng.com;

    # 证书按域名命名存放
    ssl_certificate     /etc/ssl/yh_web/yuheng.yuxindazhineng.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/yh_web/yuheng.yuxindazhineng.com/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

    # 前台
    location / {
        proxy_pass http://127.0.0.1:9528;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # 管理后台
    location /admin/ {
        proxy_pass http://127.0.0.1:9529/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # API（宿主机端口 9537，与 9527 冲突时改用 9537）
    location /api/ {
        proxy_pass http://127.0.0.1:9537/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}