server {                                                                                                                                                                                                                                                                                                                
    listen       443 ssl proxy_protocol;
    server_name  seafile.yizhisec.com cloud.hybridscope.com seafile-yizhise-com cloud-hybridscope-com;

    ssl_certificate      /etc/nginx/ssl/client.server.crt;
    ssl_certificate_key  /etc/nginx/ssl/client.server.key;

    ssl_session_timeout 1d; 
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_trusted_certificate /etc/nginx/ssl/client.ca.crt;
    ssl_client_certificate /etc/nginx/ssl/client.ca.crt;
    ssl_verify_client on; 

    client_max_body_size 500M;

#   location = /auth-sharing {
#       internal;
#       proxy_pass http://client-service:9129/api/auth-sharing;
#       proxy_http_version 1.1;
#       proxy_pass_request_body off;
#       proxy_set_header Content-Length ""; 
#       proxy_set_header X-Original-URI $request_uri;
#   }   

    location /f/ {
        rewrite ^(.+[^/])$ $1/ last;  # 补上末尾的 /，避免重定向两次
        # auth_request /auth-sharing;
        # proxy_pass http://hs-openresty:13381;
        proxy_pass http://seafile-service.seafile;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 300s;
    }   

	location /api/v1/ {
		proxy_pass http://backup-seafile-service.seafile:9027;
		proxy_http_version 1.1;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_read_timeout 300s;
	} 

    location /api2/ {
        # proxy_pass http://hs-resource-server:19980;
        proxy_pass http://seafile-service.seafile;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 300s;
    }

    location /api/v2.1/ {
        # proxy_pass http://hs-resource-server:19980;
        proxy_pass http://seafile-service.seafile;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_read_timeout 300s;
    }

    location /seafhttp/ {
        # proxy_pass http://hs-resource-server:19980;
        proxy_pass http://seafile-service.seafile;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 300s;
    }
}