# NAC CNNL HTTP Service - Nginx 反向代理配置
# 域名: cnnl.newassetchain.io
# 后端: http://localhost:8765

server {
    listen 80;
    server_name cnnl.newassetchain.io;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    http2 on;
    server_name cnnl.newassetchain.io;

    # 通配符证书（*.newassetchain.io，有效期至 2027-01-31）
    ssl_certificate     /etc/ssl/certs/_.newassetchain.io.pem;
    ssl_certificate_key /etc/ssl/certs/_.newassetchain.io.key;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    # 安全头
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options SAMEORIGIN always;

    # 请求体大小限制（CNNL 源码最大 1MB）
    client_max_body_size 2m;

    location / {
        proxy_pass         http://127.0.0.1:8765;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout 30s;
        proxy_connect_timeout 5s;

        # CORS 支持（供立法 IDE、宪法沙箱等工具调用）
        add_header Access-Control-Allow-Origin  * always;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
        add_header Access-Control-Allow-Headers 'Content-Type, Authorization, X-Requested-With' always;

        # OPTIONS 预检请求直接返回
        if ($request_method = OPTIONS) {
            return 204;
        }
    }

    # 健康检查端点（不记录日志）
    location = /api/v1/health {
        proxy_pass         http://127.0.0.1:8765;
        proxy_set_header   Host $host;
        access_log off;
    }

    access_log  /www/wwwlogs/cnnl.newassetchain.io.log;
    error_log   /www/wwwlogs/cnnl.newassetchain.io.error.log;
}