log_format apex_log '客户端IP: $remote_addr | 用户: $remote_user | 时间: $time_local | '
                            '请求方法和路径: "$request" | 状态码: $status | 响应大小: $body_bytes_sent | '
                            '来源页面: "$http_referer" | 客户端UA: "$http_user_agent" | '
                            '上游服务器: $upstream_addr | 上游响应耗时: $upstream_response_time | '
                            '请求总耗时: $request_time | Host: $host';

server {
    listen 443 ssl;
    server_name apex.deeplink.media;

    ssl_certificate     /data/tengine/conf/certificate/apex.deeplink.media_bundle.crt;
    ssl_certificate_key /data/tengine/conf/certificate/apex.deeplink.media.key;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # 单独日志文件
    access_log /data/tengine/logs/apex_access.log apex_log;
    error_log  /data/tengine/logs/apex_error.log;

    location / {
        proxy_pass         http://43.159.145.241:9007;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;

        # 关键补充：WebSocket 转发必需配置
        proxy_set_header   Upgrade $http_upgrade;  # 传递 Upgrade 头（触发WebSocket）
        proxy_set_header   Connection "upgrade";   # 传递 Connection: upgrade 头
        proxy_http_version 1.1;  # WebSocket 依赖 HTTP/1.1
        proxy_buffering off;
        proxy_cache off;
        proxy_request_buffering off;

        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
        add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,X-Requested-With,Accept,Origin' always;
    }
}

server {
    listen 80;
    server_name apex.deeplink.media;
    return 301  https://$host$request_uri;
}