# ============================================================
# Grafana - 观测仪表盘
# 域名: grafana.kejiankejian.com
# ============================================================

# HTTP -> HTTPS
server {
    listen      80;
    listen      [::]:80;
    server_name grafana.kejiankejian.com;
    return      301 https://$host$request_uri;
}

# HTTPS
server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    server_name grafana.kejiankejian.com;

    ssl_certificate     /etc/nginx/ssl/_.kejiankejian.com_chain.pem;
    ssl_certificate_key /etc/nginx/ssl/_.kejiankejian.com_key.key;
    ssl_protocols       TLSv1.2 TLSv1.3;

    # IP 白名单 (生产建议开启)
    # allow 10.0.0.0/8;
    # allow 172.16.0.0/12;
    # allow 192.168.0.0/16;
    # deny  all;

    # 原配置启用了 auth_basic, 但容器内没挂载 .htpasswd, 会 500
    # 如需开启:
    #   1) 在 nginx-gateway/ 下生成 .htpasswd
    #   2) 在此 compose volumes 加挂: - ./.htpasswd:/etc/nginx/.htpasswd:ro
    #   3) 取消下方注释
    # auth_basic           "Grafana";
    # auth_basic_user_file /etc/nginx/.htpasswd;

    access_log /dev/stdout;
    error_log  /dev/stderr;

    location / {
        proxy_pass http://grafana_ui;
        proxy_http_version 1.1;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Grafana Live (WebSocket)
        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}