map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# www 域名重定向
server {
    listen 80;
    listen [::]:80;
    server_name www.51easyai.com;

    # 添加 HSTS 策略
#     add_header Strict-Transport-Security "max-age=31536000" always;

   # ssl 版本控制
    ssl_protocols TLSv1.2 TLSv1.3;  # 只启用 TLS 1.2 和 TLS 1.3

    # 用于 certbot 验证的配置
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
        try_files $uri =404;
    }

    # 更严格的重定向规则
    location / {
        return 301 https://51easyai.com$request_uri;
    }
}

server {
    listen 80;
    listen [::]:80;
    server_name 51easyai.com;

       # ssl 版本控制
        ssl_protocols TLSv1.2 TLSv1.3;  # 只启用 TLS 1.2 和 TLS 1.3
        # 通用安全头部
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
    # 用于 certbot 验证的配置
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
        try_files $uri =404;
    }

        # 专门处理企业微信验证文件的请求
#         location = /WW_verify_9eWb5ozYfqE0Bb2i.txt {
#             default_type text/plain;  # 设置正确的Content-Type
#             return 200 '9eWb5ozYfqE0Bb2i';  # 直接返回验证内容
#         }

    location / {
        proxy_pass http://127.0.0.1:3010/;
        proxy_redirect off;  # 修改重定向处理
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
    }

    location /api/ {
        proxy_pass http://127.0.0.1:3001/;
        proxy_read_timeout 600s;  # 您已设置，适合长连接
        client_max_body_size 100M;
        proxy_redirect off;

        # --- SSE 关键配置开始 ---
        proxy_buffering off;            # 必须：关闭代理缓冲，数据会立即从后端发送到客户端
        proxy_cache off;                # 必须：禁用缓存，SSE是动态内容
        proxy_set_header Connection ''; # 清除 Connection header，有助于保持长连接
        proxy_http_version 1.1;         # 推荐使用 HTTP/1.1
        proxy_set_header Accept-Encoding ''; # 可选：防止上游压缩导致缓冲，如果后端有gzip等压缩，可能会影响流式输出
        # --- SSE 关键配置结束 ---
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
    }

    location /socket.io {
        proxy_pass http://127.0.0.1:3002;
        proxy_read_timeout 300s;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_buffering off;  # 对于 WebSocket 连接禁用缓冲
    }
    #  转发/mcp/messages 消息到3001
    location /mcp {
        proxy_pass http://127.0.0.1:3001/mcp;
        proxy_read_timeout 300s;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_buffering off;  # 对于 WebSocket 连接禁用缓冲
    }

}