# ============================================================
# 蜀道安全AI系统 - 生产环境 Nginx 配置
# ============================================================
# 服务端口说明：
# - 22000: Nginx SSL 入口
# - 22001: shudao-go-backend (系统后端)
# - 28000: 管理后台 API
# - 28002: ReportGenerator (AI对话服务)
# - 28004: auth-server (统一认证网关，集成原28003~28006服务)
# - 24000: ChromaDB (向量搜索)
# - 172.16.35.50:8000: TTS/语音服务
# ============================================================

# ==================== 限流配置 ====================
limit_req_zone $binary_remote_addr zone=limit_by_ip:10m rate=10r/s;
limit_req_zone $binary_remote_addr$request_uri zone=limit_ip_uri:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=limit_login:10m rate=5r/m;
limit_conn_zone $binary_remote_addr zone=conn_by_ip:10m;
limit_req_log_level warn;
limit_req_status 429;
limit_conn_log_level warn;
limit_conn_status 429;

server {
    listen 22000 ssl;
    server_name aqai.shudaodsj.com;
    ssl_certificate /usr/local/openresty/nginx/conf.d/shudaodsj.com.pem;
    ssl_certificate_key /usr/local/openresty/nginx/conf.d/shudaodsj.com.key;
    client_max_body_size 50M;
    charset utf-8;

    access_log /usr/local/openresty/nginx/logs/shudao_access.log;
    error_log /usr/local/openresty/nginx/logs/shudao_error.log info;

    # ==================== JWT 配置 ====================
    set $jwt_secret "your-secret-key-change-in-production-2024";
    set $jwt_algorithm "HS256";
    set $user_accountID "";
    set $user_name "";
    set $user_userCode "";
    set $user_contactNumber "";
    set $user_jti "";

    # ==================== 管理后台 ====================
    location /admin {
        alias /opt/www/shudao_backstage/dist;
        try_files $uri $uri/ /admin/index.html;
    }

    location /admin/api/v1 {
        limit_req zone=limit_ip_uri burst=20 nodelay;
        limit_conn conn_by_ip 20;
        proxy_pass http://127.0.0.1:28000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # ==================== 认证网关 (auth-server:28004) ====================
    # /auth/api/xxx -> http://127.0.0.1:28004/api/xxx
    location /auth/ {
        limit_req zone=limit_ip_uri burst=20 nodelay;
        limit_conn conn_by_ip 20;
        proxy_pass http://127.0.0.1:28004/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # ==================== AI对话服务 (ReportGenerator:28002) ====================
    # /chatwithai/api/v1/xxx -> http://127.0.0.1:28002/api/v1/xxx
    location /chatwithai/ {
        limit_req zone=limit_ip_uri burst=20 nodelay;
        limit_conn conn_by_ip 20;
        access_by_lua_file /usr/local/openresty/nginx/conf.d/jwt-auth.lua;
        proxy_pass http://127.0.0.1:28002/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-User-AccountID $user_accountID;
        proxy_set_header X-User-Name $user_name;
        proxy_set_header X-User-UserCode $user_userCode;
        proxy_set_header X-User-ContactNumber $user_contactNumber;
        proxy_set_header X-User-JTI $user_jti;
        # SSE 流式响应
        proxy_buffering off;
        proxy_cache off;
        proxy_http_version 1.1;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
    }

    # ==================== 系统后端 (shudao-go-backend:22001) ====================
    # OSS解析接口（无需JWT）
    location /apiv1/oss/parse {
        limit_req zone=limit_ip_uri burst=20 nodelay;
        limit_conn conn_by_ip 20;
        proxy_pass http://127.0.0.1:22001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # 系统后端API（需JWT鉴权）
    location /apiv1 {
        limit_req zone=limit_ip_uri burst=20 nodelay;
        limit_conn conn_by_ip 20;
        access_by_lua_file /usr/local/openresty/nginx/conf.d/jwt-auth.lua;
        proxy_pass http://127.0.0.1:22001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-User-AccountID $user_accountID;
        proxy_set_header X-User-Name $user_name;
        proxy_set_header X-User-UserCode $user_userCode;
        proxy_set_header X-User-ContactNumber $user_contactNumber;
        proxy_set_header X-User-JTI $user_jti;
    }

    # ==================== TTS 语音合成 ====================
    location /tts/ {
        limit_req zone=limit_ip_uri burst=20 nodelay;
        limit_conn conn_by_ip 20;
        access_by_lua_file /usr/local/openresty/nginx/conf.d/jwt-auth.lua;
        proxy_pass http://172.16.35.50:8000/tts/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-User-AccountID $user_accountID;
        proxy_set_header X-User-Name $user_name;
        proxy_set_header X-User-UserCode $user_userCode;
        proxy_set_header X-User-ContactNumber $user_contactNumber;
        proxy_set_header X-User-JTI $user_jti;
    }

    # ==================== 语音转文字 ====================
    location /audio_to_text {
        limit_req zone=limit_ip_uri burst=20 nodelay;
        limit_conn conn_by_ip 20;
        access_by_lua_file /usr/local/openresty/nginx/conf.d/jwt-auth.lua;
        proxy_pass http://172.16.35.50:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-User-AccountID $user_accountID;
        proxy_set_header X-User-Name $user_name;
        proxy_set_header X-User-UserCode $user_userCode;
        proxy_set_header X-User-ContactNumber $user_contactNumber;
        proxy_set_header X-User-JTI $user_jti;
    }

    # ==================== 默认路由 (前端静态资源) ====================
    location / {
        proxy_pass http://127.0.0.1:22001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # SSE 流式响应
        proxy_buffering off;
        proxy_cache off;
        proxy_http_version 1.1;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
    }

    # ==================== 错误页面 ====================
    error_page 429 /429.json;
    location = /429.json {
        internal;
        default_type application/json;
        return 429 '{"detail":"请求过于频繁，请稍后重试","code":"RATE_LIMIT_EXCEEDED","retry_after":60}';
        add_header Retry-After 60;
    }

    error_page 404 /404.json;
    location = /404.json {
        internal;
        default_type application/json;
        return 404 '{"detail":"接口不存在"}';
    }

    error_page 400 /400.json;
    location = /400.json {
        internal;
        default_type application/json;
        return 400 '{"detail":"请求格式不正确"}';
    }

    error_page 500 502 503 504 /50x.json;
    location = /50x.json {
        internal;
        default_type application/json;
        return 500 '{"detail":"服务器内部错误"}';
    }
}