fbclid fix; major fixes for caching config

services/etc/nginx/nginx.conf

@@ -164,7 +164,11 @@ http {
     proxy_max_temp_file_size 0;
 
     # Defines a timeout for establishing a connection with a proxied server.
-    # It should be noted that this timeout cannot usually exceed 75 seconds. 
+    # It should be noted that this timeout cannot usually exceed 75 seconds.
+    # 
+    # This should be short; we want the back-end to time-out before the client
+    # connection does. This way the visitor receives a cached version instead
+    # of a generic timeout
     proxy_connect_timeout   2;
 
     # Sets a timeout for transmitting a request to the proxied server.
@@ -182,6 +186,15 @@ http {
     proxy_read_timeout      5;
 
     
+    # redirect map in http block - remove fbclid argument from the end
+    # context:
+    # https://gist.github.com/lynt-smitka/b5ff2cab70443c17a214006a4d5bc48c
+    # https://community.cloudflare.com/t/facebook-now-adds-fbclid-query-string-to-urls-busting-cloudflares-cache/40355
+    map $request_uri $redirect_fbclid {
+        "~^(.*?)([?&]fbclid=[a-zA-Z0-9_-]+)$"  $1;
+    }
+
+    
     ##
     # Virtual Host Configs
     ##

services/etc/nginx/sites/admin.example.com.conf

@@ -13,18 +13,10 @@ server {
     ssl_certificate_key /srv/data/secrets/letsencrypt/live/admin.example.com/privkey.pem;
     
     # TLS settings
-    # can't set headers in an if that is *not* in a location,
-    # so we need to work around this
     add_header Strict-Transport-Security "max-age=31536000";
 
-    # proxy params, mainly for properly tracking visitors
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    # needed for keepalive to work
-    proxy_set_header Connection "";
-    proxy_http_version 1.1;
+    # basic proxy params
+    import snippets/proxy_headers_general.conf;
 
     # tls letsencrypt stateless acme config
     # no need for webroot and stuff
@@ -37,7 +29,8 @@ server {
         return 200 "$1.<ACME_THUMBPRINT>";
     }
 
-    # set proxy zone
+    # set proxy zone to off
+    # we want no caching of the admin interface
     proxy_cache off;
 
     # reverse proxy to upstream

services/etc/nginx/sites/example.com.conf

@@ -28,14 +28,8 @@ server {
         return 200 "$1.<ACME_THUMBPRINT>";
     }
     
-    # proxy params, mainly for properly tracking visitors
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    # needed for keepalive to work
-    proxy_set_header Connection "";
-    proxy_http_version 1.1;
+    # basic proxy params
+    import snippets/proxy_headers_general.conf;
 
     # proxy zone
     proxy_cache fasada;
@@ -43,14 +37,17 @@ server {
     proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
     proxy_cache_background_update on;
     proxy_cache_revalidate on;
-    proxy_cache_valid 200 1h;
     proxy_cache_lock on;
+    
+    # reasonable default
+    proxy_cache_valid 200 10s;
 
 
-    # admin area *have to* be uncached; blocking here
+    # admin area *has to* be uncached; blocking here,
     # should be made available on admin.domain.tld
     location ~* ^/(wp-admin|admin|login|wp-login|signin).* {
         add_header X-Proxy-Cache $upstream_cache_status;
+        proxy_cache off;
         return 403;
     }
 
@@ -58,21 +55,20 @@ server {
     location ~* ^/wp-content/themes/.* {
 
         # forced cache
-        proxy_cache_bypass 0;
-        proxy_hide_header Set-Cookie;
-        proxy_hide_header Expires;
-        proxy_hide_header Cache-Control;
-        proxy_hide_header Pragma;
-        proxy_ignore_headers Set-Cookie Expires Cache-Control;
-        add_header Cache-Control "public";
-        expires 30m;
-        add_header X-Proxy-Cache-WP themes;
+        include snippets/proxy_headers_caching.conf;
+        # generic settings we need to re-include due to the above using `proxy_set_header`
+        # and thus invalidating the parent block-level use of it
+        include snippets/proxy_headers_general.conf;
         
-        # debugging
-        add_header X-Proxy-Cache $upstream_cache_status;
+        # settings for this location block
+        add_header Cache-Control "public";
+        proxy_cache_valid 200 301 302 303 307 308 30m;
+        proxy_cache_valid 404                     30s;
+        expires 30m;
         
         # no need for access log for these
         access_log off;
+        add_header X-OCCRP-Fasada-Content wp-themes;
         proxy_pass http://127.0.0.1:10080;
         
     }
@@ -81,14 +77,17 @@ server {
     location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {
 
         # forced cache
-        proxy_cache_bypass 0;
+        include snippets/proxy_headers_caching.conf;
+        # generic settings we need to re-include due to the above using `proxy_set_header`
+        # and thus invalidating the parent block-level use of it
+        include snippets/proxy_headers_general.conf;
+        
+        # settings for this location block
         add_header Cache-Control "public";
         proxy_cache_valid 200 301 302 303 307 308 5h;
+        proxy_cache_valid 404                     30s;
         expires 5h;
         
-        # debugging
-        add_header X-Proxy-Cache $upstream_cache_status;
-        
         # no need for access log for these
         access_log off;
         proxy_pass http://127.0.0.1:10080;
@@ -98,12 +97,16 @@ server {
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ {
         
         # forced cache
-        proxy_cache_bypass 0;
-        add_header Cache-Control "public";
-        proxy_cache_valid 200 301 302 303 307 308 1h;
-        expires 1h;
+        include snippets/proxy_headers_caching.conf;
+        # generic settings we need to re-include due to the above using `proxy_set_header`
+        # and thus invalidating the parent block-level use of it
+        include snippets/proxy_headers_general.conf;
         
-        add_header X-Proxy-Cache $upstream_cache_status;
+        # settings for this location block
+        add_header Cache-Control "public";
+        proxy_cache_valid 200 301 302 303 307 308 15m;
+        proxy_cache_valid 404                     30s;
+        expires 15m;
         
         proxy_pass http://127.0.0.1:10080;
     }
@@ -111,18 +114,27 @@ server {
     # reverse proxy to upstream, for *everything else*
     # caching for 1 minute
     location / {
+    
+        # if redirect_fbclid map is active, do 301 to the new url
+        if ( $redirect_fbclid ) {
+            return 301 $redirect_fbclid;
+        }
+        
         # forced cache
-        proxy_cache_bypass 0;
-        proxy_hide_header Set-Cookie;
-        proxy_hide_header Expires;
-        proxy_hide_header Cache-Control;
-        proxy_hide_header Pragma;
-        proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires;
+        include snippets/proxy_headers_caching.conf;
+        # generic settings we need to re-include due to the above using `proxy_set_header`
+        # and thus invalidating the parent block-level use of it
+        include snippets/proxy_headers_general.conf;
+        
+        # settings for this location block
         add_header Cache-Control "no-store";
         proxy_cache_valid 200 301 302 303 307 308 20s;
-        add_header X-Proxy-Cache $upstream_cache_status;
+        proxy_cache_valid 404                     20s;
+        
+        # some basic security headers
         add_header Content-Security-Policy "frame-ancestors 'self'";
         add_header X-Frame-Options SAMEORIGIN;
+        
         proxy_pass http://127.0.0.1:10080;
     }
 

services/etc/nginx/snippets/proxy_headers_caching.conf

@@ -0,0 +1,31 @@
+# caching-related proxy headers
+# 
+# this has to be included in every cached location separately
+# along with proxy_headers_general
+# because proxy_set_header used in a location invalidates
+# *all* proxy_set_headers used in the parent blocks, fo *all* headers.
+
+# this hides any cookies from the back-end
+# 
+# it does *not* modify the response from the backend to the client
+# (use proxy_hide_header for that)
+proxy_set_header Cookie "";
+
+# force the cache *not* to be by-passed
+proxy_cache_bypass 0;
+
+# hide certain headers from the client
+# 
+# that is, modify backend's response, removing certain headers from it
+# so that the client cannot get them
+proxy_hide_header Set-Cookie;
+proxy_hide_header Expires;
+proxy_hide_header Cache-Control;
+proxy_hide_header Pragma;
+
+# ignore certain headers that usually invalidate the cache
+# since we want to force everything to be cached
+proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires;
+
+# debugging
+add_header X-Proxy-Cache-Status $upstream_cache_status;

services/etc/nginx/snippets/proxy_headers_general.conf

@@ -0,0 +1,14 @@
+# general proxy headers
+# 
+# this is needed because we might need to include this
+# in every location block we're using `proxy_set_header` explicitly in
+# like for caching, for example
+
+# proxy params, mainly for properly tracking visitors
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+# needed for keepalive to work
+proxy_set_header Connection "";
+proxy_http_version 1.1;