api.conf

if ($_origin_allowed = '') {
  return              404   'ERROR: origin `$http_origin` is not allowed';
}
if ($http_x_jsproxy) {
  return              404   'ERROR: circular dependency';
}
proxy_set_header      x-jsproxy   1;
proxy_set_header      Connection  $http_connection;

set                   $_url       '';
set                   $_ver       '';


location = /preflight {
  internal;
  more_set_headers
    'access-control-allow-origin: *'
    'access-control-allow-methods: GET,POST,PUT,DELETE,HEAD,OPTIONS'
    'access-control-allow-headers: --url,--referer,--cookie,--origin,--ext,--aceh,--ver,accept,accept-charset,accept-encoding,accept-language,accept-datetime,authorization,cache-control,content-length,content-type,date,if-match,if-modified-since,if-none-match,if-range,if-unmodified-since,max-forwards,pragma,range,te,upgrade,upgrade-insecure-requests,x-requested-with,chrome-proxy'
    'access-control-max-age: 1728000'
  ;
  return              204;
}


# HTTP(S) Proxy
location = /http {
  if ($request_method = 'OPTIONS') {
    rewrite           ^   /preflight;
  }

  # decode req headers
  access_by_lua_block {
    local hdrs, err = ngx.req.get_headers()
    local extHdrs

    for k, v in pairs(hdrs) do
      if k:sub(1, 2) ~= '--' then
        goto continue
      end

      ngx.req.clear_header(k)
      k = k:sub(3)

      if k == 'url' then
        ngx.var._url = v
      elseif k == 'ver' then
        ngx.var._ver = v
      elseif k == 'aceh' then
        ngx.ctx._aceh = 1
      elseif k == 'ext' then
        extHdrs = require('cjson').decode(v)
      else
        ngx.req.set_header(k, v)
      end

      ::continue::
    end

    if extHdrs then
      for k, v in pairs(extHdrs) do
        ngx.req.set_header(k, v)
      end
    end
  }

  proxy_cache           my_cache;
  proxy_pass            $_url;

  more_set_headers
    'server: $upstream_http_server'
    'content-security-policy'
    'content-security-policy-report-only'
    'x-frame-options'
  ;

  # encode res headers
  header_filter_by_lua_block {
    local expose = '*'
    local detail = (ngx.ctx._aceh == 1)
    local vary = '--url'

    local h, err = ngx.resp.get_headers()
    for k, v in pairs(h) do
      if
        -- headers to escape --
        k == 'access-control-allow-origin' or
        k == 'access-control-expose-headers' or
        k == 'location' or
        k == 'set-cookie'
      then
        if type(v) == 'table' then
          for i = 1, #v do
            local x = i .. '-' .. k
            ngx.header[x] = v[i]

            if detail then
              expose = expose .. ',' .. x
            end
          end
        else
          local x = '--' .. k
          ngx.header[x] = v

          if detail then
            expose = expose .. ',' .. x
          end
        end
        ngx.header[k] = nil

      elseif k == 'vary' then
        if type(v) == 'table' then
          vary = vary .. ', ' .. table.concat(v, ', ')
        else
          vary = vary .. ', ' .. v
        end

      elseif detail and
        -- not simple header --
        k ~= 'cache-control' and
        k ~= 'cache-language' and
        k ~= 'content-type' and
        k ~= 'expires' and
        k ~= 'last-modified' and
        k ~= 'pragma'
      then
        expose = expose .. ',' .. k
      end
    end

    if detail then
      expose = expose .. ',--s'
      ngx.header['--t'] = '1'
    end

    ngx.header['access-control-expose-headers'] = expose
    ngx.header['access-control-allow-origin'] = '*'
    ngx.header['vary'] = vary
    ngx.header['--s'] = ngx.status
    ngx.status = 200
  }
}


# WebSocket Proxy
location = /ws {
  access_by_lua_block {
    local query, err = ngx.req.get_uri_args()

    for k, v in pairs(query) do
      if k == 'url__' then
        ngx.var._url = v
      elseif k == 'ver__' then
        ngx.var._ver = v
      else
        ngx.req.set_header(k, v)
      end
    end
  }
  proxy_pass            $_url;
}