docker/images/files/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 2048;
    # multi_accept on;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_requests 30;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    server_tokens off;

    reset_timedout_connection on;
    client_body_timeout 30s;
    client_header_timeout 30s;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    error_log /dev/stderr;
    access_log /dev/stdout;

    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_static on;
    gzip_comp_level 4;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;

    gzip_types text/plain text/css text/javascript application/javascript application/json application/transit+json;

    resolver $PENPOT_INTERNAL_RESOLVER;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    proxy_cache_path /tmp/cache/ levels=2:2 keys_zone=penpot:20m;
    proxy_cache_methods GET HEAD;
    proxy_cache_valid any 48h;
    proxy_cache_key "$host$request_uri";

    include /etc/nginx/overrides.d/*.conf;

    server {
        listen 80 default_server;
        server_name _;

        client_max_body_size 100M;
        charset utf-8;

        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        etag off;

        root /var/www/app/;

        location @handle_redirect {
            set $redirect_uri "$upstream_http_location";
            set $redirect_host "$upstream_http_x_host";
            set $redirect_cache_control "$upstream_http_cache_control";
            set $real_mtype "$upstream_http_x_mtype";

            proxy_buffering off;

            proxy_set_header Host "$redirect_host";
            proxy_hide_header etag;
            proxy_hide_header x-amz-id-2;
            proxy_hide_header x-amz-request-id;
            proxy_hide_header x-amz-meta-server-side-encryption;
            proxy_hide_header x-amz-server-side-encryption;
            proxy_pass $redirect_uri;

            add_header x-internal-redirect "$redirect_uri";
            add_header x-cache-control "$redirect_cache_control";
            add_header cache-control "$redirect_cache_control";
            add_header content-type "$real_mtype";
        }

        location /assets {
            proxy_pass $PENPOT_BACKEND_URI/assets;
            recursive_error_pages on;
            proxy_intercept_errors on;
            error_page 301 302 307 = @handle_redirect;
        }

        location /internal/assets {
            internal;
            alias /opt/data/assets;
            add_header x-internal-redirect "$upstream_http_x_accel_redirect";
        }

        location /api/export {
            proxy_pass $PENPOT_EXPORTER_URI;
        }

        location /api {
            proxy_pass $PENPOT_BACKEND_URI/api;
        }

        location /readyz {
            proxy_http_version 1.1;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass $PENPOT_BACKEND_URI$request_uri;
        }

        location /ws/notifications {
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_pass $PENPOT_BACKEND_URI/ws/notifications;
        }

        location / {
            location ~ ^/github/penpot-files/(?<template_file>[a-zA-Z0-9\-\_\.]+) {
                proxy_pass https://raw.githubusercontent.com/penpot/penpot-files/main/$template_file;
                proxy_hide_header Access-Control-Allow-Origin;
                proxy_set_header User-Agent "curl/7.74.0";
                proxy_set_header Host "raw.githubusercontent.com";
                proxy_set_header Accept "*/*";
                add_header Access-Control-Allow-Origin $http_origin;
                proxy_buffering off;
            }

            location ~ ^/internal/gfonts/font/(?<font_file>.+) {
                proxy_pass https://fonts.gstatic.com/s/$font_file;

                proxy_hide_header Access-Control-Allow-Origin;
                proxy_hide_header Cross-Origin-Resource-Policy;
                proxy_hide_header Link;
                proxy_hide_header Alt-Svc;
                proxy_hide_header Cache-Control;
                proxy_hide_header Expires;
                proxy_hide_header Cross-Origin-Opener-Policy;
                proxy_hide_header Report-To;

                proxy_ignore_headers Set-Cookie Vary Cache-Control Expires;

                proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36";
                proxy_set_header Host "fonts.gstatic.com";
                proxy_set_header Accept "*/*";

                proxy_cache penpot;

                add_header Access-Control-Allow-Origin $http_origin;
                add_header Cache-Control max-age=86400;
                add_header X-Cache-Status $upstream_cache_status;
            }

            location ~ ^/internal/gfonts/css {
                proxy_pass https://fonts.googleapis.com/css?$args;
                proxy_hide_header Access-Control-Allow-Origin;
                proxy_hide_header Cross-Origin-Resource-Policy;
                proxy_hide_header Link;
                proxy_hide_header Alt-Svc;
                proxy_hide_header Cache-Control;
                proxy_hide_header Expires;

                proxy_ignore_headers Set-Cookie Vary Cache-Control Expires;

                proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36";
                proxy_set_header Host "fonts.googleapis.com";
                proxy_set_header Accept "*/*";

                proxy_cache penpot;

                add_header Access-Control-Allow-Origin $http_origin;
                add_header Cache-Control max-age=86400;
                add_header X-Cache-Status $upstream_cache_status;
            }

            location ~ ^/js/config.js$ {
                add_header Cache-Control "no-store, no-cache, max-age=0" always;
            }

            location ~* \.(js|css|jpg|svg|png|mjs|map)$ {
                add_header Cache-Control "max-age=604800" always; # 7 days
            }

            location ~ ^/(/|css|fonts|images|js|wasm|mjs|map) {
            }

            location ~ ^/[^/]+/(.*)$ {
                return 301 " /404";
            }

            add_header Last-Modified $date_gmt;
            add_header Cache-Control "no-store, no-cache, max-age=0" always;
            if_modified_since off;
            try_files $uri /index.html$is_args$args /index.html =404;
        }
    }
}