# Nginx 配置文件示例
# 
# 说明：
# 1. 此配置适用于 OpenResty/Nginx
# 2. 根据实际部署路径调整 root、fastcgi_pass 等配置
# 3. 将此配置添加到 server 块中，或作为独立的 server 配置文件

server {
    listen 80;
    server_name your-domain.com;
    root /var/www/oms;
    index index.html index.php;
    
    # 字符集设置
    charset UTF-8;
    charset_types text/plain text/xml text/css text/javascript application/json application/javascript;
    
    # 请求体大小限制
    client_max_body_size 20M;
    # client_body_buffer_size 128k;
    
    # ========== 生产环境性能优化（开发环境可注释）==========
    # 隐藏 Nginx 版本号（安全优化）
    # server_tokens off;
    
    # 连接优化
    # keepalive_timeout 65;
    # keepalive_requests 100;
    
    # 性能优化：启用 sendfile 和 tcp_nopush
    # sendfile on;
    # tcp_nopush on;
    # tcp_nodelay on;
    
    # 文件描述符缓存（性能优化）
    # open_file_cache max=10000 inactive=30s;
    # open_file_cache_valid 60s;
    # open_file_cache_min_uses 2;
    # open_file_cache_errors on;
    
    # Gzip 压缩配置（性能优化）
    # gzip on;
    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
    # gzip_min_length 1000;
    # gzip_disable "msie6";
    
    # 日志配置（开发环境建议启用）
    # access_log /var/log/nginx/oms_access.log;
    # error_log /var/log/nginx/oms_error.log;
    
    # 安全头设置（生产环境推荐，开发环境可注释）
    # add_header X-Frame-Options "SAMEORIGIN" always;
    # add_header X-XSS-Protection "1; mode=block" always;
    # add_header X-Content-Type-Options "nosniff" always;
    # add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    # 如果已配置 SSL，取消下面的注释
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # ========== 安全规则（按优先级排序，最具体的规则在前）==========
    
    # 禁止访问敏感文件扩展名（优先匹配）
    location ~ \.(sql|log|bak|backup|old|tmp|ini|conf)$ {
        deny all;
        return 403;
    }
    
    # 禁止访问隐藏文件（以 . 开头）
    location ~ /\. {
        deny all;
        return 403;
    }
    
    # 禁止访问敏感目录
    location ~ ^/(\.git|script|data|config|vendor|cgi-bin|tools|docs|docker|tests|upgrade)/ {
        deny all;
        return 403;
    }
    
    # 禁止访问 PHP 配置文件
    location ~ ^/.*/(config|secrets|defined_ext)\.php$ {
        deny all;
        return 403;
    }
    
    # ========== 特殊路由规则 ==========
    
    # 修复重复的 index.php - 将多个连续的 /index.php 重写为单个 /index.php
    location ~ ^/index\.php(/index\.php)+ {
        rewrite ^/index\.php(/index\.php)+(.*)$ /index.php$2 last;
    }
    
    # 将 '/home' 的请求重写到 index.html
    location = /home {
        rewrite ^ /index.html last;
    }
    
    # 将以 'm-' 开头的请求重写到 index.html
    location ~ ^/m- {
        rewrite ^/m- /index.html last;
    }
    
    # ========== 静态文件处理 ==========
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot|webp|avif)$ {
        # 开发环境：禁用缓存，方便调试
        add_header Cache-Control "no-cache, no-store, must-revalidate";
        add_header Pragma "no-cache";
        add_header Expires "0";
        
        # 生产环境：启用缓存（取消下面的注释）
        # expires 30d;
        # add_header Cache-Control "public, immutable";
        # access_log off;
        # etag off;
    }
    
    # ========== PHP 文件处理 ==========
    location ~ \.php$ {
        # 禁止直接访问敏感配置文件
        if ($request_uri ~* "/(config|secrets|defined_ext)\.php$") {
            return 403;
        }
        
        # fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        # 或使用 TCP 连接：
        fastcgi_pass 127.0.0.1:9000;
        
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        
        # FastCGI 超时设置
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_connect_timeout 60;
        
        # FastCGI 缓冲优化（生产环境推荐，开发环境可注释）
        # fastcgi_buffers 16 16k;
        # fastcgi_buffer_size 32k;
        # fastcgi_busy_buffers_size 64k;
        # fastcgi_temp_file_write_size 64k;
        
        # FastCGI 缓存（可选，根据需求启用）
        # fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=php_cache:100m inactive=60m;
        # fastcgi_cache php_cache;
        # fastcgi_cache_valid 200 60m;
        # fastcgi_cache_bypass $skip_cache;
        # fastcgi_no_cache $skip_cache;
    }
    
    # ========== 主路由处理 ==========
    # fallback 到 index.html 用于 SPA 路由
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    
    # ========== 错误页面配置 ==========
    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
        internal;
    }
    location = /404.html {
        root /usr/share/nginx/html;
        internal;
    }
}
# HTTPS 配置示例（如果已配置 SSL 证书）
# server {
#     listen 443 ssl http2;
#     server_name your-domain.com;
#     root /var/www/oms;
#     
#     # SSL 证书配置
#     ssl_certificate /path/to/certificate.crt;
#     ssl_certificate_key /path/to/private.key;
#     ssl_protocols TLSv1.2 TLSv1.3;
#     ssl_ciphers HIGH:!aNULL:!MD5;
#     ssl_prefer_server_ciphers on;
#     
#     # 其他配置与 HTTP 配置相同
#     # ...
# }