events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    sendfile on;
    keepalive_timeout 65;

    # 静态网站服务器
    server {
        listen 80;
        server_name localhost;

        # 网页根目录
        root /usr/share/nginx/html;
        index index.html index.htm;

        # ===== 移除冲突的 X-Frame-Options，改用 CSP =====
        # 删除以下两行：
        # proxy_hide_header X-Frame-Options;
        # add_header X-Frame-Options SAMEORIGIN always;
        
        # 使用 CSP frame-ancestors 替代（更灵活、现代）
        # 配置说明：
        # - 'self'：允许同源页面嵌入
        # - https://your-trusted-domain.com：允许特定域名嵌入（替换成你的实际域名）
        # - 多个域名用空格分隔
        add_header Content-Security-Policy "frame-ancestors 'self' https://www.airzhihui.com https://www.rszhihui.com;" always;
        
        # 如果完全不需要被任何页面嵌入，使用：
        # add_header Content-Security-Policy "frame-ancestors 'none';" always;
        
        # 如果允许任何域名嵌入（不推荐，安全风险）：
        # add_header Content-Security-Policy "frame-ancestors *;" always;

        # ========== aircrawl 反向代理 ==========
        # 无斜杠时重定向到带斜杠
        location = /aircrawl {
            return 302 /aircrawl/;
        }
        
        location /aircrawl/ {
            proxy_pass http://118.25.129.153:1030/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            # 隐藏上游可能返回的 X-Frame-Options（避免冲突）
            proxy_hide_header X-Frame-Options;
            
            # 为反向代理单独设置 CSP（可选）
            add_header Content-Security-Policy "frame-ancestors 'self' https://www.airzhihui.com;" always;

            # WebSocket 支持
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }

        # 1. 明确拒绝 PHP 请求
        location ~* \.(php|phtml|asp|aspx|jsp)$ {
            access_log off;
            return 404;
        }
        
        # 2. 头像静态资源
        location /api/profile/avatar/ {
            alias /mydata/docker/piaowu/upload/avatar/;
            try_files $uri =404;
            expires 7d;
            access_log off;
            add_header Cache-Control "public";

            # 安全头
            add_header X-Content-Type-Options nosniff;
        }

        # 静态文件缓存设置
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
            # 排除头像路径，避免冲突
            if ($request_uri ~* "^/api/profile/avatar/") {
                break;
            }
            expires 1y;
            add_header Cache-Control "public, immutable";
        }

        # HTML 文件不缓存
        location ~* \.html$ {
            expires -1;
            add_header Cache-Control "no-store, no-cache, must-revalidate";
        }

        # SPA 路由支持
        location / {
            try_files $uri $uri/ /index.html;
        }
    }
}