server {
    listen 443 ssl;
    server_name assets.tlyq.ai;

    ssl_certificate /etc/letsencrypt/live/www.tlyq.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.tlyq.ai/privkey.pem;

    # Authelia 认证端点（internal = 仅子请求可访问）
    location /authelia-auth {
        internal;
        proxy_pass http://authelia:9091/api/authz/auth-request;
        proxy_set_header Cookie $http_cookie;
        proxy_set_header X-Original-Method $request_method;
        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-URI $request_uri;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
    }

    location / {
        auth_request /authelia-auth;

        auth_request_set $user $upstream_http_remote_user;
        auth_request_set $groups $upstream_http_remote_groups;

        proxy_set_header X-Remote-User $user;
        proxy_set_header X-Remote-Groups $groups;
        proxy_set_header X-Auth-Proxy-Key "internal-auth-key-tlyq-2026";

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://assets-ai:3000;
    }

    error_page 401 =302 https://sso.tlyq.ai/?rd=$scheme://$http_host$request_uri;
    error_page 502 503 = @fallback;

    location @fallback {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://assets-ai:3000;
    }
}