green-spider-webapp/config/nginx/nginx_prod.conf

user nginx;
worker_processes  1;

error_log stderr warn;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    proxy_cache_path /var/cache/nginx/cache-api keys_zone=api:1m;
    proxy_cache_path /var/cache/nginx/cache-screenshots keys_zone=screenshots:1m;

    upstream gs {
      server     storage.googleapis.com:443;
      keepalive  128;
    }
    
    # This server redirects all requests to the HTTPS server
    server {
      listen *:80;
      rewrite ^/$ https://green-spider.netzbegruenung.de/ redirect;
    }

    server {
      listen *:443;

      ssl on;
      ssl_certificate /etc/letsencrypt/live/green-spider.netzbegruenung.de/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/green-spider.netzbegruenung.de/privkey.pem;

      root /usr/share/nginx/html;

      # css, js never change
      location /static/ {
        expires 100d;
      }

      # The last-updated resource will be cached for 5 minutes max.
      location /api/v1/spider-results/last-updated/ {
        proxy_pass http://api:5000/api/v1/spider-results/last-updated/;
        proxy_cache api;
        proxy_cache_background_update on;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 3s;
        proxy_cache_use_stale updating;
        proxy_cache_valid 200 5m;
        proxy_cache_valid any 30m;
        proxy_set_header X-Real-IP $remote_addr;
      }

      # All other API calls are cached for 6 hours
      location /api/ {
        proxy_pass http://api:5000;
        proxy_cache api;
        proxy_cache_background_update on;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 15s;
        proxy_cache_use_stale updating;
        proxy_cache_valid 200 6h;
        proxy_cache_valid any 60m;
        proxy_set_header X-Real-IP $remote_addr;
      }

      location /screenshots/ {
        resolver 8.8.8.8 ipv6=off;

        rewrite /screenshots/(.*) /$1 break;
        proxy_pass https://gs/green-spider-screenshots.sendung.de/$1;
        proxy_http_version 1.1;
        proxy_set_header Host storage.googleapis.com;
        proxy_set_header Connection "";
        proxy_intercept_errors on;
        
        proxy_cache screenshots;
        proxy_cache_background_update on;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 5s;
        proxy_cache_use_stale updating;
        proxy_cache_valid 200 24h;
        proxy_cache_valid any 3h;

        proxy_hide_header       alt-svc;
        proxy_hide_header       X-GUploader-UploadID;
        proxy_hide_header       alternate-protocol;
        proxy_hide_header       x-goog-hash;
        proxy_hide_header       x-goog-generation;
        proxy_hide_header       x-goog-metageneration;
        proxy_hide_header       x-goog-stored-content-encoding;
        proxy_hide_header       x-goog-stored-content-length;
        proxy_hide_header       x-goog-storage-class;
        proxy_hide_header       x-xss-protection;
        proxy_hide_header       accept-ranges;
        proxy_hide_header       Set-Cookie;
        proxy_ignore_headers    Set-Cookie;
      }

      location / {
        try_files $uri $uri/ /index.html;
      }

    }

    include /mime.types;

    default_type application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time';

    access_log /dev/stdout main;

    sendfile on;
    #tcp_nopush on;

    keepalive_timeout 65;

    gzip on;
    gzip_types application/json application/javascript application/x-javascript text/css;

    include /etc/nginx/conf.d/*.conf;
}