# 特定のOriginの場合のみCORS用ヘッダを返すための設定
# $http_originはOriginリクエストヘッダーの中身が入る。
# https://nginx.org/en/docs/http/ngx_http_core_module.html#var_http_
# OriginリクエストヘッダーはCORSリクエスト、POSTリクエストで送信される。普通にGETするだけだと送信されないので注意
map $http_origin $origin_allowed {
    #default 'NG';
    default 'OK'; # ローカルは全て通し！
}

map $origin_allowed $origin {
    default null;
    # 'OK' $http_origin;
    'OK' '*';
}

server {
    listen 80;
    listen 443 ssl;

    server_name stg.icanapp.org.au;

    ssl_certificate /etc/nginx/conf.d/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/conf.d/ssl/key.pem;
    
    # nginxはifでANDが使えないので文字列を組み合わせてAND代わりにする
    set $origin_allowed_method $origin_allowed$request_method;

    access_log  /dev/stdout main;
    error_log   /dev/stderr warn;

    gzip on;
    gzip_types text/css application/javascript application/json application/font-woff application/font-tff;
    gzip_proxied any;

    charset UTF-8;
    client_max_body_size 256M;
    fastcgi_read_timeout 900;
    root  /var/www/public;
    index index.php index.html index.htm;

    # セキュリティー用ヘッダ
    add_header Strict-Transport-Security 'max-age=31536000' always;
    add_header Content-Security-Policy upgrade-insecure-requests;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy same-origin;


    location / {
        if ($origin_allowed_method = 'OKOPTIONS') {
            add_header Access-Control-Allow-Origin $origin always;
            add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE';
            add_header Access-Control-Allow-Headers *;
            add_header Access-Control-Max-Age 3600;
            add_header Content-Type 'text/plain charset=UTF-8';
            add_header Content-Length 0;
            return 204;
        }
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~* \.(jpg|jpeg|gif|png|css|js|swf|ico|pdf|svg|eot|ttf|woff)$ {
        if ( $origin_allowed = 'OK') {
            add_header Access-Control-Allow-Origin $origin always;
            add_header Access-Control-Allow-Headers 'Origin, Authorization, Accept, Content-Type';
            add_header Access-Control-Allow-Methods 'POST, GET, OPTIONS';
        }

        expires 30d;
        access_log off;
    }

    location ~ \.php$ {
        root /var/www/public;

        # PHPの方でCORSを許可する
        #if ( $origin_allowed = 'OK') {
        #    add_header Access-Control-Allow-Origin $origin always;
        #    add_header Access-Control-Allow-Credentials true;
        #}

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass  php-fpm:9000;
        fastcgi_index index.php;

        include       fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO       $fastcgi_path_info;

        fastcgi_connect_timeout 600;
        fastcgi_read_timeout    600;
        fastcgi_send_timeout    600;

        fastcgi_hide_header X-Powered-By;
    }
}