events {}

http {
    include /etc/nginx/conf.d/*.conf;

    # SSO 登录限流：按真实客户端 IP（X-Forwarded-For），每分钟 5 次，burst 3
    limit_req_zone $http_x_forwarded_for zone=sso_login:10m rate=5r/m;

    # 所有 HTTP 自动跳 HTTPS
    server {
        listen 80 default_server;
        server_name _;
        
        location / {
            return 301 https://$host$request_uri;
        }

        # 让证书续期正常工作（必须留）
        location /.well-known/acme-challenge/ {
            root /var/www/html;
            try_files $uri =404;
        }
    }
}