# Drip Tunnel Server - Nginx 配置
#
# 架构：外部用户 -> Nginx (443) -> Drip Server (8443) -> 客户端
#
# 前置条件：
#   1. 获取通配符 SSL 证书：
#      certbot certonly --manual --preferred-challenges dns \
#        -d "*.tunnel.example.com" -d "tunnel.example.com"
#
#   2. DNS 配置：
#      A     tunnel.example.com      -> YOUR_SERVER_IP
#      A     *.tunnel.example.com    -> YOUR_SERVER_IP
#
#   3. 启动 Drip Server：
#      ./bin/drip-server --port 8443 --domain tunnel.example.com \
#        --tls-cert /etc/letsencrypt/live/tunnel.example.com/fullchain.pem \
#        --tls-key /etc/letsencrypt/live/tunnel.example.com/privkey.pem

# HTTP 重定向到 HTTPS
server {
    listen 80;
    server_name tunnel.example.com *.tunnel.example.com;
    return 301 https://$host$request_uri;
}

# HTTPS 代理到 Drip Server
server {
    listen 443 ssl http2;
    server_name tunnel.example.com *.tunnel.example.com;

    # SSL 证书
    ssl_certificate /etc/letsencrypt/live/tunnel.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tunnel.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    # 代理到 Drip Server
    location / {
        proxy_pass https://127.0.0.1:8443;
        proxy_ssl_verify off;
        proxy_http_version 1.1;

        # 转发请求头
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # 超时配置
        proxy_connect_timeout 60s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;

        # 禁用缓冲
        proxy_buffering off;
        proxy_request_buffering off;

        # 大文件支持
        client_max_body_size 100m;
    }
}