upstream api_service {
    server api:80;
}

upstream dlweb_service {
    server dlweb:80;
}

upstream wxserver_service {
    server wxserver:3000;
}

# =============================================
# 域名路由模式 + SSL（Let's Encrypt 自动证书）
#
# 域名由 .env 文件中的 API_DOMAIN / DLWEB_DOMAIN 自动注入
# 修改域名只需编辑 .env 然后 docker compose restart nginx
#
# ================== 微信域名配置指南 ==================
#
# .env 中配置的 2 个域名对应:
#   ${API_DOMAIN}    → 网站1: game-docker/api  +  wxserver（通过 /wx/ 前缀路由转发）
#   ${DLWEB_DOMAIN}  → 网站2: game-docker/dlweb/api
#
# 【微信小程序后台】(mp.weixin.qq.com → 开发管理 → 开发设置)
#   - request 合法域名:    https://${API_DOMAIN}
#   - 业务域名:            ${API_DOMAIN}
#     (验证文件放到 api/ 根目录，小程序和公众号的 MP_verify_xxx.txt 均放这里)
#     wxserver 接口通过 ${API_DOMAIN}/wx/* 访问
#
# 【微信公众号后台】(mp.weixin.qq.com → 设置与开发 → 公众号设置)
#   - 业务域名:            ${API_DOMAIN}
#     (验证文件在 api/ 根目录)
#   - JS接口安全域名:       ${API_DOMAIN}
#   - 网页授权域名:         ${API_DOMAIN}   ← api 与 wxserver 共用此域名
#     wxserver OAuth 回调走 https://${API_DOMAIN}/wx/auth/oa/callback
#
# 【微信支付后台】(pay.weixin.qq.com)
#   - 支付授权目录:  https://${DLWEB_DOMAIN}/
#   - 支付回调通知:  由代码中 notify_url 指定
#
# =============================================

# =============================================
# SSL 通用配置（被各 server 块 include）
# =============================================
# 注意: ssl-params.conf 由 init-ssl.sh 生成到
# /etc/nginx/snippets/ssl-params.conf

# ===== 父域名 HTTP 专用（微信业务域名验证文件 + 其余跳转 API） =====
# 父域名无需 HTTPS，仅用于 MP_verify_*.txt 的 HTTP 访问
server {
    listen 80;
    listen [::]:80;
    server_name ${ROOT_DOMAIN} www.${ROOT_DOMAIN};

    # Let's Encrypt ACME 验证（保留，以防日后为父域名申请证书）
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # 微信业务域名验证文件（代理到 api 容器）
    location ~* ^/MP_verify_.*\.txt$ {
        proxy_pass http://api_service;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }

    # 其余流量重定向到 API 子域名
    location / {
        return 301 https://${API_DOMAIN}$request_uri;
    }
}

# ===== HTTP → HTTPS 统一重定向 + ACME 验证 =====
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    # Let's Encrypt 域名验证 (必须保留)
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # 健康检查（供内部/负载均衡器使用，不重定向）
    location /health {
        return 200 'OK';
        add_header Content-Type text/plain;
    }

    # 其余全部 301 重定向到 HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

# ===== 网站1: 游戏核心 API (公众号后台) + wxserver OAuth 回调 =====
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${API_DOMAIN};

    ssl_certificate     /etc/letsencrypt/live/${API_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${API_DOMAIN}/privkey.pem;
    include /etc/nginx/snippets/ssl-params.conf;

    # wxserver 路由：/wx/ 前缀转发给 wxserver 容器，自动去除 /wx 前缀
    # 例：/wx/auth/oa/callback → wxserver:/auth/oa/callback
    # 例：/wx/api/login        → wxserver:/api/login
    location /wx/ {
        proxy_pass http://wxserver_service/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }

    # wxserver 上传文件访问（/wx/api/upload 上传后返回的 /uploads/ 地址）
    location /uploads/ {
        proxy_pass http://wxserver_service/uploads/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }

    # PHP API（所有其他请求）
    location / {
        proxy_pass http://api_service;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }
}

# ===== 网站2: 代理管理后台 (微信支付) =====
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${DLWEB_DOMAIN};

    ssl_certificate     /etc/letsencrypt/live/${DLWEB_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${DLWEB_DOMAIN}/privkey.pem;
    include /etc/nginx/snippets/ssl-params.conf;

    location / {
        proxy_pass http://dlweb_service;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }
}

# 注：wxserver 不再独立占用域名，所有接口统一通过 api.xxx/wx/* 路由访问