# ============================================
# 客户系统 Nginx配置文件
# 服务器: 36.140.67.217
# 部署路径: /var/www/customer-system
# 
# 安装方法:
# 1. 将此文件复制到服务器: /etc/nginx/conf.d/customer-system.conf
# 2. 测试配置: nginx -t
# 3. 重启服务: systemctl restart nginx
# ============================================

server {
    listen 9002;
    server_name 36.140.67.217 localhost;
    
    # 网站根目录
    root /deploy/code/front;
    index index.html index.htm;

    # 日志配置
    access_log /var/log/nginx/customer-system.access.log;
    error_log /var/log/nginx/customer-system.error.log;

    # Gzip压缩配置
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript 
               application/javascript application/xml application/json
               application/x-font-ttf application/x-font-woff
               image/svg+xml;

    # 静态资源缓存 - JS/CSS/字体/图片长期缓存
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|otf)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
        
        # 允许跨域访问字体文件
        add_header Access-Control-Allow-Origin *;
    }

    # HTML文件不缓存 - 确保用户总是获取最新版本
    location ~* \.html$ {
        expires -1;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
        add_header Pragma "no-cache";
    }

    location /api/ {
        proxy_pass http://127.0.0.1:9031;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # SPA单页应用路由支持
    # 所有路由都返回index.html，由前端路由处理
    location / {
        try_files $uri $uri/ /index.html;
    }

    # 安全头配置
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # 禁止访问隐藏文件
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # 错误页面
    error_page 404 /index.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }
}

# ============================================
# HTTPS配置 (可选 - 需要SSL证书)
# ============================================
# server {
#     listen 443 ssl http2;
#     server_name 36.140.67.217;
#     
#     ssl_certificate /etc/nginx/ssl/customer-system.crt;
#     ssl_certificate_key /etc/nginx/ssl/customer-system.key;
#     ssl_session_timeout 1d;
#     ssl_session_cache shared:SSL:50m;
#     ssl_protocols TLSv1.2 TLSv1.3;
#     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
#     ssl_prefer_server_ciphers off;
#     
#     # ... 其他配置同上
# }
# 
# # HTTP重定向到HTTPS
# server {
#     listen 80;
#     server_name 36.140.67.217;
#     return 301 https://$server_name$request_uri;
# }