#user  nobody;
worker_processes  auto;
error_log  logs/error.log;
pid        logs/nginx.pid;

events {
    worker_connections  10240;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile        on;
    tcp_nopush      on;
    keepalive_timeout  65;
    gzip  on;

    server_tag off;
    server_info off;
    server_tokens off;
    charset utf-8;

    server{
        listen      80;
        listen      443;

        server_name  www.***.gov.cn,www.***.net.cn,www.***.gov.cn,10.76.11.4;

        ssl_certificate      key/www.***.gov.cn.pem;
        ssl_certificate_key  key/www.***.gov.cn.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

	    add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';

        #重定向配置
        if ($server_port ~* "80") {
              rewrite ^/(.*)  https://www.***.gov.cn/$1 break;
        }

        #cms网站
        location /index/flow {
            index index.html index.jhtml;
            proxy_pass        http://10.76.11.7:8088/;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header  Host $http_host;
        }
        #静态分离 可以在tomcat挂掉的时候前台html页面能提供访问
        location ~/(u|r|thirdparty|h5center|resource/form)/{
            #配置静态资源目录，如果集群下u  p1 m1独立文件夹则分开配置
            proxy_pass        http://10.76.11.7:8088/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        location  ~^/(p|m).*\.html$ {
            add_header Access-Control-Allow-Origin *;
            proxy_pass http://10.76.11.7:8088/;  # 指向静态资源服务器
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        #静态分离配置首页跳转到主站首页静态页，否则tomcat挂了依然是有问题
        rewrite ^/$ /p1/index.html permanent;

	#限制访问后台
        location /jeecms/ {
            #设置一个标记
            set $flag 0;
            #当请求的地址是符合条件的进行记录
            if ($http_host !~* "10.76.11.4") {
    	       set $flag "${flag}1";
            }
            #当请求的uri是符合条件的进行记录
            if ($request_uri ~* "jeecms/index.html") {
    	       set $flag "${flag}2";
            }
            #进行拦截
            if ($flag = "012") {
                return 403;
            }

            #默认策略
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_connect_timeout      240;
            proxy_send_timeout         240;
            proxy_read_timeout         240;
            proxy_pass http://10.76.11.7:8088/jeecms/;
       }

        error_page   403 404 /40x.html;
        location = /40x.html {
            root   html;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

       location /.well-known/pki-validation {
           root html;


      }

    }

}