# =============================================================================
# 企微IT智能服务台 — Nginx 配置（NAS + Cloudflare Tunnel 版）
# =============================================================================
# 与标准 nginx.conf 的区别：
#   1. 移除 / 根路径反代到 IT 数据查询平台（NAS 上没有此服务）
#   2. 增加 Cloudflare 真实 IP 还原（CF-Connecting-IP）
#   3. 增加 HSTS 和安全头（通过 Tunnel 时客户端是 HTTPS）
#   4. 增加 /api/wecom/callback 路径用于企微消息回调
# =============================================================================

events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # ------------------------------------------------------------------
    # 日志格式（增加 CF 真实 IP）
    # ------------------------------------------------------------------
    log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent"';

    access_log /var/log/nginx/access.log main;
    error_log  /var/log/nginx/error.log warn;

    # ------------------------------------------------------------------
    # 基础配置
    # ------------------------------------------------------------------
    sendfile           on;
    tcp_nopush        on;
    tcp_nodelay       on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 50m;   # 支持文件上传（企微媒体文件）

    # ------------------------------------------------------------------
    # Gzip 压缩（前端静态资源）
    # ------------------------------------------------------------------
    gzip            on;
    gzip_vary      on;
    gzip_min_length 1024;
    gzip_types      text/plain text/css text/xml text/javascript
                   application/javascript application/xml+rss
                   application/json application/ld+json;

    # =================================================================
    # 上游服务定义（Docker 内部网络）
    # =================================================================
    upstream backend_api {
        server backend:8000;
    }

    # =================================================================
    # 主服务：监听 80 端口（Cloudflare Tunnel 终止 SSL，容器内走 HTTP）
    # =================================================================
    server {
        listen 80;
        server_name itdesk.amanzac.com;

        # ------------------------------------------------------------------
        # 安全头（通过 Cloudflare Tunnel 时客户端是 HTTPS）
        # ------------------------------------------------------------------
        # 告诉浏览器只通过 HTTPS 访问（通过 Cloudflare 的 HSTS 配置更佳）
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # ------------------------------------------------------------------
        # 健康检查端点（用于 Docker healthcheck）
        # ------------------------------------------------------------------
        location = /itdesk/health {
            access_log off;
            return 200 "healthy\n";
            add_header Content-Type text/plain;
        }

        # ------------------------------------------------------------------
        # H5 员工端 — /itdesk/
        # ------------------------------------------------------------------
        location /itdesk/ {
            alias /usr/share/nginx/html/itdesk/;
            index index.html;
            try_files $uri /itdesk/index.html;
        }

        # ------------------------------------------------------------------
        # 坐席工作台 — /itagent/
        # ------------------------------------------------------------------
        location /itagent/ {
            alias /usr/share/nginx/html/itagent/;
            index index.html;
            try_files $uri /itagent/index.html;
        }

        # ------------------------------------------------------------------
        # 后端 API — /api/
        # ------------------------------------------------------------------
        location /api/ {
            proxy_pass http://backend_api/;
            proxy_set_header Host $host;
            # Cloudflare 真实 IP 还原
            proxy_set_header X-Real-IP $http_cf_connecting_ip;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            # Cloudflare Tunnel 终止 SSL，告知后端原始协议是 HTTPS
            proxy_set_header X-Forwarded-Proto https;

            # 超时设置（AI 回复可能较慢）
            proxy_connect_timeout 60s;
            proxy_send_timeout    300s;
            proxy_read_timeout    300s;
        }

        # ------------------------------------------------------------------
        # WebSocket — /ws/（坐席端实时通信）
        # ------------------------------------------------------------------
        location /ws/ {
            proxy_pass http://backend_api;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $http_cf_connecting_ip;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_read_timeout 86400s;  # WebSocket 长连接
        }

        # ------------------------------------------------------------------
        # 默认路径 — 重定向到 H5 员工端
        # ------------------------------------------------------------------
        location = / {
            return 302 /itdesk/;
        }
    }
}