server {
    listen 80;
    server_name localhost;
    root /usr/share/nginx/html;
    index index.html;

    # Gzip 压缩
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json;

    # ============================================
    # 安全加固: 拒绝访问源码和配置文件
    # ============================================
    
    # 拒绝访问 .vue 源码文件
    location ~* \.vue$ {
        return 404;
    }
    
    # 拒绝访问各种配置文件
    location ~* (config|vite|webpack|babel|tailwind|postcss|eslint|prettier)\.config\.(js|ts|mjs|cjs|json)$ {
        return 404;
    }
    
    # 拒绝访问 ESLint/Prettier 配置
    location ~* \.(eslintrc|prettierrc)\.(js|json|yaml|yml)$ {
        return 404;
    }
    
    # 拒绝访问 source map 文件
    location ~* \.map$ {
        return 404;
    }
    
    # 拒绝访问环境配置文件
    location ~* \.env(\.local|\.development|\.production)?$ {
        return 404;
    }
    
    # 拒绝访问 lock 文件
    location ~* (package-lock|yarn|pnpm-lock)\.json$ {
        return 404;
    }

    # ============================================
    # 前端路由支持 (Vue Router history 模式)
    # ============================================
    location / {
        try_files $uri $uri/ /index.html;
    }

    # ============================================
    # 静态资源缓存 - 只缓存安全文件类型
    # ============================================
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|otf)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        add_header X-Content-Type-Options nosniff;
        access_log off;
    }
    
    # 特殊处理: 确保 .js 文件不是配置文件
    location ~* config\.(js|ts|mjs|cjs)$ {
        return 404;
    }

    # ============================================
    # API 代理到后端
    # ============================================
    location /api/ {
        proxy_pass http://java-backend:8080/api/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }

    # ============================================
    # 健康检查端点
    # ============================================
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }
}
