static.example.com.conf

##
# Remote static file proxy settings, and support to forward the target to the squid proxy
#
# Proxies:
# - https://static.example.com/*/http://others.com/asset.js -> http://others.com/asset.js
##

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name static.example.com;

    include /etc/nginx/vhost.d/static.example.com/*.conf;

    # https://static.example.com/*/http://others.com/asset.js -> http://others.com/asset.js
    ## https://www.mediasuite.co.nz/blog/proxying-s3-downloads-nginx/
    location ~* ^/\*/(http[s]?):?/(.*?)/(.*)$ {
        # Note: Remove the directive 'internal;' to accept the external requests,
        #       otherwise it will return 404 for the external requests.
        #       See http://nginx.org/en/docs/http/ngx_http_core_module.html#internal
        set $backend_protocol   $1;
        set $backend_host       $2;
        set $backend_path       $3;
        set $backend_uri        $backend_host/$backend_path$is_args$args;
        set $backend_url        $backend_protocol://$backend_uri;

        # Headers for the remote server, unset Authorization and Cookie for security reasons.
        proxy_set_header Host $backend_host;
        proxy_set_header Authorization '';
        proxy_set_header Cookie '';

        # Stops the local disk from being written to (just forwards data through)
        proxy_max_temp_file_size 0;

        # Forward the target to the squid proxy
        ## https://serverfault.com/questions/583743/how-to-make-an-existing-caching-nginx-proxy-use-another-proxy-to-bypass-a-firewa#683955
        ## Hide the reponse header to protect the backend proxy
        ### http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
        proxy_hide_header Via;
        proxy_hide_header X-Cache;
        proxy_hide_header X-Cache-Hits;
        proxy_hide_header X-Cache-Lookup;
        proxy_hide_header X-Fastly-Request-ID;
        proxy_hide_header X-Served-By;
        proxy_hide_header X-Timer;
        rewrite ^(.*)$      "://$backend_uri"           break;
        rewrite ^(.*)$      "$backend_protocol$1"       break;
        proxy_pass http://<squid ip>:3128;

        # Proxy to the target directly
        #proxy_pass $backend_url;

        proxy_intercept_errors on;
        error_page 301 302 307 = @handle_backend_redirect;
    }

    # Nginx Embedded Variables: http://nginx.org/en/docs/varindex.html
    location @handle_backend_redirect {
        return 302 $scheme://$host/*/$upstream_http_location;
    }
}