server {
    listen 443 ssl;
    server_name admin.scalelink.cn;
    ssl_certificate  /data/tengine/conf/certificate/admin.scalelink.cn_bundle.crt;
    ssl_certificate_key /data/tengine/conf/certificate/admin.scalelink.cn.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    # ========= 反误判 Header =========
    add_header X-Robots-Tag "noindex, nofollow, nosnippet" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header Referrer-Policy "same-origin" always;
    add_header X-Admin-System "Scalelink-Internal-Console" always;
    add_header Server "Scalelink-Gateway" always;

    # ========= 阻断搜索引擎 =========
    location = /robots.txt {
        default_type text/plain;
        return 200 "User-agent: *\nDisallow: /\n";
    }

    # ========= 前端 admin 页面 =========
    location / {
        root  /data/tengine/html/fly_moon_web/dist;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;

        add_header X-Robots-Tag "noindex, nofollow, nosnippet" always;
        add_header X-Admin-System "Scalelink-Internal-Console" always;
        add_header X-Frame-Options "DENY" always;
        add_header Referrer-Policy "same-origin" always;

        # admin 页面不缓存（钓鱼站通常强缓存）
        add_header Cache-Control "no-store, private";
    }

    location = /login {
        limit_req zone=login_limit burst=5 nodelay;
        try_files $uri $uri/ /index.html;
    }

    # ========= API（原有逻辑） =========
    location ^~ /prod-api {
        client_max_body_size 100m;
        proxy_pass   http://43.153.21.64:8080;
        proxy_set_header Host 43.153.21.64;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 3s;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    }
    location /prod-api/monitor/job {
        proxy_pass         http://task_backend$uri;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_redirect     off;
    }
    
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
}

server {
    listen 80;
    server_name admin.scalelink.cn;
    return 301 https://$host$request_uri;
}