# 特定のOriginの場合のみCORS用ヘッダを返すための設定 # $http_originはOriginリクエストヘッダーの中身が入る。 # https://nginx.org/en/docs/http/ngx_http_core_module.html#var_http_ # OriginリクエストヘッダーはCORSリクエスト、POSTリクエストで送信される。普通にGETするだけだと送信されないので注意 map $http_origin $origin_allowed { #default 'NG'; default 'OK'; # ローカルは全て通し! } map $origin_allowed $origin { default null; # 'OK' $http_origin; 'OK' '*'; } server { listen 80; listen 443 ssl; server_name stg.icanapp.org.au; ssl_certificate /etc/nginx/conf.d/ssl/cert.pem; ssl_certificate_key /etc/nginx/conf.d/ssl/key.pem; # nginxはifでANDが使えないので文字列を組み合わせてAND代わりにする set $origin_allowed_method $origin_allowed$request_method; access_log /dev/stdout main; error_log /dev/stderr warn; gzip on; gzip_types text/css application/javascript application/json application/font-woff application/font-tff; gzip_proxied any; charset UTF-8; client_max_body_size 256M; fastcgi_read_timeout 900; root /var/www/public; index index.php index.html index.htm; # セキュリティー用ヘッダ add_header Strict-Transport-Security 'max-age=31536000' always; add_header Content-Security-Policy upgrade-insecure-requests; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy same-origin; location / { if ($origin_allowed_method = 'OKOPTIONS') { add_header Access-Control-Allow-Origin $origin always; add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE'; add_header Access-Control-Allow-Headers *; add_header Access-Control-Max-Age 3600; add_header Content-Type 'text/plain charset=UTF-8'; add_header Content-Length 0; return 204; } try_files $uri $uri/ /index.php?$query_string; } location ~* \.(jpg|jpeg|gif|png|css|js|swf|ico|pdf|svg|eot|ttf|woff)$ { if ( $origin_allowed = 'OK') { add_header Access-Control-Allow-Origin $origin always; add_header Access-Control-Allow-Headers 'Origin, Authorization, Accept, Content-Type'; add_header Access-Control-Allow-Methods 'POST, GET, OPTIONS'; } expires 30d; access_log off; } location ~ \.php$ { root /var/www/public; # PHPの方でCORSを許可する #if ( $origin_allowed = 'OK') { # add_header Access-Control-Allow-Origin $origin always; # add_header Access-Control-Allow-Credentials true; #} fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass php-fpm:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_connect_timeout 600; fastcgi_read_timeout 600; fastcgi_send_timeout 600; fastcgi_hide_header X-Powered-By; } }