server {
    listen 80;
    return 301 https://$host$request_uri;
}

# upstream hs-backup-server {
#     least_conn;
#     server hs-backup-server:9349 max_fails=3 fail_timeout=10s;
# }

upstream hs-api {
    server api-service:9002;
}

server {
    listen 9002;

    location / {
        proxy_pass http://hs-api;
    }
}

server {
    listen 443 ssl default_server;

    location /api/admin/ {
        return 404;
    }

    location /oem {
        proxy_pass http://oem-service;
    }

    location /api/my/sys/client/installer {
        proxy_pass http://app-helper-service.hsv2/api/v2_2/client/download/list;
    }

    location /api/system/version {
        proxy_pass http://app-helper-service.hsv2/api/v2_2/system/version;
    }

    location /api/v2_2/system/elink {
        proxy_pass http://app-helper-service.hsv2;
    }

    location /api/v2_2/_client/win {
        proxy_pass http://app-helper-service.hsv2;
    }

    location /api/v2_2/_client/mac{
        proxy_pass http://client-mac-service;
    }

    location /api/v2_2/_client/linux{
        proxy_pass http://client-linux-service;
    }

    location / {
        proxy_pass http://front-user-service;
    }

    include /etc/nginx/common/common.conf;

    error_page 497 301 =307 https://$http_host$request_uri;
}

server {
    listen 8443 ssl;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN";  # 或 "DENY"
    add_header Content-Security-Policy "img-src * data:; frame-ancestors 'none';" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header X-Permitted-Cross-Domain-Policies "none";
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Content-Type-Options "nosniff" always;

    server_tokens off;

    location / {
        proxy_pass http://front-admin-service;
    }

    location /api/system/version {
        proxy_pass http://app-helper-service/api/v2_2/system/version;
    }

    location /oem {
        proxy_pass http://oem-service;
    }

    location /api/v2_2/system/elink {
        proxy_pass http://app-helper-service.hsv2;
    }

    location /user/avatar/ {
        proxy_pass http://app-helper-service.hsv2/api/v2_2/_obj/;
    }

    location /api/account/profile/avatar {
        proxy_pass http://app-helper-service.hsv2/api/v2_2/user/profile/avatar/update;
    }

    # create layer4 resource
    location = /api/admin/business-center/network-app/tunnel {
        proxy_pass http://app-helper-service.hsv2/api/v2_2/interceptor/mie/resource4/create/icon$request_uri;
    }

    # update layer4 resource
    location ~ ^/api/admin/business-center/network-app/tunnel/\d+/info$ {
        proxy_pass http://app-helper-service.hsv2/api/v2_2/interceptor/mie/resource4/update/icon$request_uri;
    }

    # create layer7 resource
    location = /api/admin/strategy/osi-resource {
        proxy_pass http://app-helper-service.hsv2/api/v2_2/interceptor/mie/resource7/create/icon$request_uri;
    }

    # update layer7 resource
    location ~ ^/api/admin/strategy/osi-resource/\d+/info$ {
        proxy_pass http://app-helper-service.hsv2/api/v2_2/interceptor/mie/resource7/update/icon$request_uri;
    }

    location /api/v2_1/user {
        proxy_pass http://user-service:9013;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 300s;
    }

    location /api/v2_2/_client/win {
        proxy_pass http://app-helper-service.hsv2;
    }

    location /api/v2_2/_client/mac{
        proxy_pass http://client-mac-service;
    }

    location /api/v2_2/_client/linux{
        proxy_pass http://client-linux-service;
    }

    location /api/v2_2/yosguard {
        proxy_pass http://10.118.2.10:7788;
    }

    include /etc/nginx/common/common.conf;

    location /ws {
        proxy_pass http://hs-api/ws;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 300s;
    }

    location /api/local/user/import/template {
        auth_request /token_auth;
        alias /static/resource/local_user_import_template.xlsx;
    }

    location @my_401 {
        default_type text/html;
        return 401 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>401</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>401 Unauthorized</h1>';
    }

    location @my_403 {
        default_type text/html;
        return 403 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>403</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>403 Forbidden</h1>';
    }

    location @my_404 {
        default_type text/html;
        return 404 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>404</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>404 Not_Found</h1>';
    }

    location @my_502 {
        default_type text/html;
        return 502 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>502</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>502 Bad_Gateway</h1>';
    }

    error_page 497 301 =307 https://$http_host$request_uri;
    error_page 401 @my_401;
    error_page 403 @my_403;
    error_page 404 @my_404;
    error_page 502 @my_502;
}