env AWS_ACCESS_KEY_ID;
env AWS_SECRET_ACCESS_KEY;
env S3_BUCKET_NAME;

worker_processes 1;

events {
  worker_connections 1024;
}

http {
  lua_load_resty_core off;
  lua_package_path "/tmp/lua-resty-core/lib/?.lua;/tmp/lua/?.lua;;";
  client_max_body_size 100m;
  client_body_buffer_size 128k;
  proxy_buffer_size 32k;
  proxy_buffers 4 32k;
  lua_need_request_body on;
  lua_socket_buffer_size 128k;

  server {
    listen 80;
    client_max_body_size 0;

    location /healthcheck {
      add_header Content-Type text/plain;
      return 200 'Ok';
      access_log off;
    }

    location ~* ^/upload {
      if ($request_method = 'OPTIONS') {
        # Tell client that this pre-flight info is valid for 20 days
        add_header 'Access-Control-Allow-Origin' "*" ;
        add_header 'Access-Control-Allow-Credentials' 'true' ;
        add_header 'Access-Control-Allow-Methods' 'GET, PUT, OPTIONS' ;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
      }
      if ($request_method != PUT) {
        return 404;
      }

      set_secure_random_alphanum $prefix 64;
      set_sha1 $prefixsha $prefix;
      set_by_lua $time "os.time()";
      set_by_lua $date "return os.date('%a, %d %b %Y %H:%M:%S GMT', tonumber(ngx.var.time))";
      set_by_lua $day "return os.date('%Y%m%d', tonumber(ngx.var.time))";
      set_sha1 $datesha $date;
      set $key $prefixsha$datesha;
      set_by_lua $bucket "return os.getenv('S3_BUCKET_NAME')";
      set $url https://$bucket.s3-eu-west-1.amazonaws.com/$day/$key;
      set $returnurl https://uploads.paidit.se/$day/$key;
      set $acl public-read;
      set $contentSha256 "";

      access_by_lua_block {
        local sha256 = require("sha256")
        ngx.req.read_body()
        local body = ngx.req.get_body_data()
        local contentSha256 = sha256.sha256(body)
        ngx.var.contentSha256 = contentSha256
      }

      set_by_lua_block $authorization {
        local sign = require("sign")
        local headers = {["x-amz-acl"] = ngx.var.acl, ["x-amz-date"] = ngx.var.date, ["host"] = "upload.unbound.se.s3-eu-west-1.amazonaws.com"}
        local region = "eu-west-1"
        return sign.sign(os.getenv("AWS_ACCESS_KEY_ID"), os.getenv("AWS_SECRET_ACCESS_KEY"), os.time(), "upload.unbound.se", ngx.var.request_uri, headers, ngx.var.contentSha256, region)
      }

      proxy_set_header date $date;
      proxy_set_header x-amz-acl $acl;
      proxy_set_header x-amz-date $date;
      proxy_set_header x-amz-content-sha256 $contentSha256;
      proxy_set_header Authorization $authorization;
      proxy_hide_header x-amz-id-2;
      proxy_hide_header x-amz-request-id;
      add_header X-File-URL $returnurl;

      resolver 8.8.8.8 valid=300s;
      resolver_timeout 10s;
      add_header 'Access-Control-Expose-Headers' 'X-File-Url';

      add_header X-debug-message $authorization always;

      proxy_pass $url;
    }
  }
}