ocdp-go/infra/nginx/default.conf

# default.conf - OCDP production gateway
# - 对外监听 80/443（Docker 默认映射宿主 80/443）
# - 路由策略: /api/* → backend 服务，其余路径 → SPA 静态资源
# - TLS 证书通过 /etc/nginx/certs/tls.(crt|key) 挂载，可替换为正式证书

server {
    listen 80 default_server;
    listen 443 ssl http2 default_server;
    server_name _;

    ssl_certificate     /etc/nginx/certs/tls.crt;
    ssl_certificate_key /etc/nginx/certs/tls.key;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    ssl_prefer_server_ciphers on;

    root /usr/share/nginx/html;
    index index.html;

    # 前端 SPA 路由 fallback
    location / {
        try_files $uri /index.html;
    }

    # API 请求代理到 backend 服务
    location /api/ {
        proxy_pass         http://backend:8080;
        proxy_http_version 1.1;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }

    # Nginx 健康检查
    location = /healthz {
        access_log off;
        add_header Content-Type text/plain;
        return 200 'ok';
    }

    # 提供静态资源 (cache control)
    location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ {
        expires 7d;
        add_header Cache-Control "public, max-age=604800, immutable";
        try_files $uri /index.html;
    }
}