# 特定のOriginの場合のみCORS用ヘッダを返すための設定
# $http_originはOriginリクエストヘッダーの中身が入る。
# https://nginx.org/en/docs/http/ngx_http_core_module.html#var_http_
# OriginリクエストヘッダーはCORSリクエスト、POSTリクエストで送信される。普通にGETするだけだと送信されないので注意
map $http_origin $origin_allowed {
    # default 'NG';
    default 'OK';
}

map $origin_allowed $origin {
    default null;
    'OK' $http_origin;
}

map $http_user_agent $loggable {
    ~ELB-HealthChecker  0;
    default             1;
}

server {
    listen 80;

    # nginxはifでANDが使えないので文字列を組み合わせてAND代わりにする
    set $origin_allowed_method $origin_allowed$request_method;

    # set_real_ip_from 10.0.0.0/8;
    # set_real_ip_from 172.20.0.1/32; # Debian
    # set_real_ip_from 192.168.32.1/32; # mac
    # real_ip_header  X-Forwarded-For;

	access_log  /dev/stdout main if=$loggable;
	error_log   /dev/stderr warn;

	gzip on;
	gzip_types text/css application/javascript application/json application/font-woff application/font-tff;
	gzip_proxied any;

	charset UTF-8;
	client_max_body_size 1256M;
    fastcgi_read_timeout 900;
	root  /var/www/public;
	index index.php index.html index.htm;

    # セキュリティー用ヘッダ
	add_header Strict-Transport-Security 'max-age=31536000' always;
    add_header Content-Security-Policy upgrade-insecure-requests;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy same-origin;


    location / {
        if ($origin_allowed_method = 'OKOPTIONS') {
            add_header Access-Control-Allow-Origin $http_origin always;
            add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE';
            add_header Access-Control-Allow-Headers *;
            add_header Access-Control-Max-Age 3600;
            add_header Content-Type 'text/plain charset=UTF-8';
            add_header Content-Length 0;
            return 204;
         }
        try_files $uri $uri/ /index.php?$query_string;
    }

	location ~* \.(jpg|jpeg|gif|png|css|js|swf|ico|pdf|svg|eot|ttf|woff)$ {
        if ( $origin_allowed = 'OK') {
		    add_header Access-Control-Allow-Origin $http_origin always;
            #add_header Access-Control-Allow-Headers 'Origin, Authorization, Accept, Content-Type';
		    #add_header Access-Control-Allow-Methods 'POST, GET, OPTIONS';
        }

        expires 30d;
		access_log off;
	}

    location ~ \.php$ {
        root /var/www/public;
        if ( $origin_allowed = 'OK') {
            add_header Access-Control-Allow-Origin $origin always;
            add_header Access-Control-Allow-Credentials true;
            add_header X-Frame-Options DENY;
            add_header Cache-control no-store;
            add_header Pragma no-cache;
        }
        add_header X-Frame-Options DENY;
        add_header Cache-control no-store;
        add_header Pragma no-cache;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass  localhost:9000;
        fastcgi_index index.php;

        include       fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO       $fastcgi_path_info;

        fastcgi_connect_timeout 600;
        fastcgi_read_timeout    600;
        fastcgi_send_timeout    600;
    }
}