cd /tmp/nginx_rpm/
rpm -ivh *.rpm --force --nodeps

mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl

openssl req -newkey rsa:2048 -nodes -keyout test.key \
    -x509 -days 365 -out test.crt \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=Test/OU=IT/CN=localhost"

mkdir -p /var/www/test-web
mkdir -p /var/www/test-app
echo "Web Index" > /var/www/test-web/index.html
echo "App Index" > /var/www/test-app/index.html

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # Gzip 壓縮
    gzip on;
    gzip_min_length 1k;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript application/xml;
    gzip_vary on;

    sendfile        on;
    keepalive_timeout  65;

    include /etc/nginx/conf.d/*.conf;
}

# Web HTTP → HTTPS
server {
    listen 80;
    server_name localhost;
    return 301 https://$server_name$request_uri;
}

# Web HTTPS
server {
    listen 443 ssl http2;
    server_name localhost;

    client_max_body_size 1024m;

    ssl_certificate     /etc/nginx/ssl/test.crt;
    ssl_certificate_key /etc/nginx/ssl/test.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        root /var/www/test-web;
        index index.html;
        try_files $uri $uri/ /index.html;
    }

    location /test/ {
        proxy_pass http://192.168.2.67:9652;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

# App HTTP → HTTPS
server {
    listen 3000;
    server_name localhost;
    return 301 https://$server_name:3001$request_uri;
}

# App HTTPS
server {
    listen 3001 ssl http2;
    server_name localhost;

    client_max_body_size 1024m;

    ssl_certificate     /etc/nginx/ssl/test.crt;
    ssl_certificate_key /etc/nginx/ssl/test.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        root /var/www/test-app;
        index index.html;
        try_files $uri $uri/ /index.html;
    }

    location /test/ {
        proxy_pass http://192.168.2.67:9652;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
# Nginx will fail to start if /run/nginx.pid already exists but has the wrong
# SELinux context. This might happen when running `nginx -t` from the cmdline.
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=mixed
PrivateTmp=true

[Install]
WantedBy=multi-user.target

systemctl enable nginx
systemctl start nginx
systemctl status nginx

sudo firewall-cmd --add-port=80/tcp --permanent
sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --add-port=3000/tcp --permanent
sudo firewall-cmd --add-port=3001/tcp --permanent
sudo firewall-cmd --reload