fasada/services/etc/nginx/sites/example.com.conf

# www.example.com website
server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com example.com;
    
    # general vhost settings
    access_log /srv/logs/nginx/example.com.access.log combined;
    error_log /srv/logs/nginx/example.com.error.log error;
    
    # ssl keycert
    ssl_certificate     /srv/data/secrets/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /srv/data/secrets/letsencrypt/live/example.com/privkey.pem;
    
    # TLS settings
    # can't set headers in an if that is *not* in a location,
    # so we need to work around this
    add_header Strict-Transport-Security "max-age=31536000";

    # TLS letsencrypt stateless acme config
    # no need for webroot and stuff
    # 
    # this is described for acme.sh,
    # but should work with any LE client
    # https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
    location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
        default_type text/plain;
        return 200 "$1.<ACME_THUMBPRINT>";
    }
    
    # basic proxy params
    import snippets/proxy_headers_general.conf;

    # proxy zone
    proxy_cache fasada;
    # use stale cached resources in case upstream is not available for some reason
    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
    proxy_cache_background_update on;
    proxy_cache_revalidate on;
    proxy_cache_lock on;
    
    # reasonable default
    proxy_cache_valid 200 10s;


    # admin area *has to* be uncached; blocking here,
    # should be made available on admin.domain.tld
    location ~* ^/(wp-admin|admin|login|wp-login|signin).* {
        add_header X-Proxy-Cache $upstream_cache_status;
        proxy_cache off;
        return 403;
    }

    # WordPress themes
    location ~* ^/wp-content/themes/.* {

        # forced cache
        include snippets/proxy_headers_caching.conf;
        # generic settings we need to re-include due to the above using `proxy_set_header`
        # and thus invalidating the parent block-level use of it
        include snippets/proxy_headers_general.conf;
        
        # settings for this location block
        add_header Cache-Control "public";
        proxy_cache_valid 200 301 302 303 307 308 30m;
        proxy_cache_valid 404                     30s;
        expires 30m;
        
        # no need for access log for these
        access_log off;
        proxy_pass http://127.0.0.1:10080;
        
    }

    # robots.txt, favicons, apple icons, etc
    location ~* .*/(robots\.txt|favicon\.ico|apple-touch-icon\.png|apple-touch-icon-precomposed\.png)$ {

        # forced cache
        include snippets/proxy_headers_caching.conf;
        # generic settings we need to re-include due to the above using `proxy_set_header`
        # and thus invalidating the parent block-level use of it
        include snippets/proxy_headers_general.conf;
        
        # settings for this location block
        add_header Cache-Control "public";
        proxy_cache_valid 200 301 302 303 307 308 5h;
        proxy_cache_valid 404                     30s;
        expires 5h;
        
        # no need for access log for these
        access_log off;
        proxy_pass http://127.0.0.1:10080;
    }

    # images and other static resources
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|json|woff|woff2|ttf|otf|bmp|cur|gz|svgz|mp4|ogg|ogv|webm|htc|mp4|mpeg|mp3|txt|pdf)$ {
        
        # forced cache
        include snippets/proxy_headers_caching.conf;
        # generic settings we need to re-include due to the above using `proxy_set_header`
        # and thus invalidating the parent block-level use of it
        include snippets/proxy_headers_general.conf;
        
        # settings for this location block
        add_header Cache-Control "public";
        proxy_cache_valid 200 301 302 303 307 308 15m;
        proxy_cache_valid 404                     30s;
        expires 15m;
        
        proxy_pass http://127.0.0.1:10080;
    }

    # reverse proxy to upstream, for *everything else*
    # caching for 1 minute
    location / {
    
        # if redirect_fbclid map is active, do 301 to the new url
        if ( $redirect_fbclid ) {
            return 301 $redirect_fbclid;
        }
        
        # forced cache
        include snippets/proxy_headers_caching.conf;
        # generic settings we need to re-include due to the above using `proxy_set_header`
        # and thus invalidating the parent block-level use of it
        include snippets/proxy_headers_general.conf;
        
        # settings for this location block
        add_header Cache-Control "no-store";
        proxy_cache_valid 200 301 302 303 307 308 20s;
        proxy_cache_valid 404                     20s;
        
        # some basic security headers
        add_header Content-Security-Policy "frame-ancestors 'self'";
        add_header X-Frame-Options SAMEORIGIN;
        
        proxy_pass http://127.0.0.1:10080;
    }

}