server {
    listen 443 ssl;
    server_name open-isle.com www.open-isle.com;

    ssl_certificate     /etc/letsencrypt/live/open-isle.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/open-isle.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        add_header Cache-Control "no-store" always;
        add_header X-Upstream $upstream_addr always;
    }

    location ^~ /api/ws {
        proxy_pass         http://127.0.0.1:8080;
        proxy_http_version 1.1;

        # 升级所需
        proxy_set_header   Upgrade              $http_upgrade;
        proxy_set_header   Connection           $connection_upgrade;

        # 统一透传这些头（你在 /api/ 有，/api/ws 也要有）
        proxy_set_header   Host                 $host;
        proxy_set_header   X-Real-IP            $remote_addr;
        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto    $scheme;
        proxy_set_header   X-Forwarded-Host     $host;

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
        proxy_buffering    off;
        proxy_cache        off;
    }

    # 2) SockJS（包含 /info、/iframe.html、/.../websocket 等）
    location ^~ /api/sockjs {
        proxy_pass         http://127.0.0.1:8080;
        proxy_http_version 1.1;

        proxy_set_header   Upgrade              $http_upgrade;
        proxy_set_header   Connection           $connection_upgrade;

        proxy_set_header   Host                 $host;
        proxy_set_header   X-Real-IP            $remote_addr;
        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto    $scheme;
        proxy_set_header   X-Forwarded-Host     $host;

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
        proxy_buffering    off;
        proxy_cache        off;

        # 如要同源 iframe 回退，下面两行二选一（或者交给 Spring Security 的 sameOrigin）
        # proxy_hide_header  X-Frame-Options;
        # add_header         X-Frame-Options "SAMEORIGIN" always;
    }

    location /api/ {
        proxy_pass http://127.0.0.1:8080/api/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
        proxy_no_cache 1;
        proxy_cache_bypass 1;
    }

    # 通过 https://open-isle.com/rabbitmq/ 访问管理界面
    location ^~ /rabbitmq/ {
        # 关键点：proxy_pass 以 "/" 结尾，保留后缀子路径映射
        proxy_pass         http://127.0.0.1:15672/;
        proxy_http_version 1.1;
    
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    
        # 把上游返回的绝对重定向 /... 改写为 /rabbitmq/...
        proxy_redirect ~^(/.*)$ /rabbitmq$1;
    
        # 为了做 HTML/CSS/JS 内绝对路径替换，需要关闭压缩
        proxy_set_header   Accept-Encoding "";
    
        # 将页面中以 "/" 开头的 src/href 替换为 "/rabbitmq/..."
        sub_filter_types text/html text/css application/javascript;
        sub_filter 'href="/' 'href="/rabbitmq/';
        sub_filter 'src="/'  'src="/rabbitmq/';
        sub_filter_once off;
    
        # 建议对管理台再加一道保护（可选）
        # auth_basic "RabbitMQ Console";
        # auth_basic_user_file /etc/nginx/.htpasswd;
    }

    # 通过 https://open-isle.com/docker/ 访问 Portainer（上游是自签名 HTTPS）
    location ^~ /docker/ {
        proxy_pass         https://127.0.0.1:19000/;  # 末尾 / 保留子路径
        proxy_http_version 1.1;

        # 上游是自签证书，关闭校验（仅内网/自签场景）
        proxy_ssl_verify   off;

        # 透传头
        proxy_set_header   Host                 $host;
        proxy_set_header   X-Real-IP            $remote_addr;
        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto    $scheme;
        proxy_set_header   X-Forwarded-Host     $host;

        # WebSocket/事件流（Portainer 某些功能会用到）
        proxy_set_header   Upgrade              $http_upgrade;
        proxy_set_header   Connection           $connection_upgrade;

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
        proxy_buffering    off;
        proxy_cache        off;

        # 把上游返回的绝对重定向 /... 改写为 /docker/...
        proxy_redirect     ~^(/.*)$ /docker$1;

        # 为了替换 HTML/CSS/JS 中的绝对路径，需要关闭压缩
        proxy_set_header   Accept-Encoding "";

        # 将页面中以 "/" 开头的 src/href 替换为 "/docker/..."
        sub_filter_types   text/html text/css application/javascript;
        sub_filter         'href="/' 'href="/docker/';
        sub_filter         'src="/'  'src="/docker/';
        sub_filter_once    off;

        # 可选：再加一道基本认证
        # auth_basic "Portainer";
        # auth_basic_user_file /etc/nginx/.htpasswd;
    }


    # ---------- WEBSOCKET GATEWAY TO :8082 ----------
    location ^~ /websocket/ {
        proxy_pass         http://127.0.0.1:8082/; 
        proxy_http_version 1.1;

        proxy_set_header   Upgrade              $http_upgrade;
        proxy_set_header   Connection           $connection_upgrade;

        proxy_set_header   Host                 $host;
        proxy_set_header   X-Real-IP            $remote_addr;
        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto    $scheme;
        proxy_set_header   X-Forwarded-Host     $host;

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
        proxy_buffering    off;
        proxy_cache        off;
        add_header         Cache-Control "no-store" always;
    }
}
server {
    listen 80;
    server_name open-isle.com www.open-isle.com;
    return 301 https://$host$request_uri;
}
