server {
    listen 9999;
    server_name YOUR_DOMAIN_HERE;

    client_max_body_size 100M;
    charset utf-8;

    proxy_http_version 1.1;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # needed for resolving google fonts domains
    # better use your own dns server
    # resolver 8.8.8.8;

    etag off;

    root /usr/share/webapps/penpot/;

    location @handle_redirect {
        set $redirect_uri "$upstream_http_location";
        set $redirect_host "$upstream_http_x_host";
        set $redirect_cache_control "$upstream_http_cache_control";
        set $real_mtype "$upstream_http_x_mtype";

        proxy_buffering off;

        proxy_set_header Host "$redirect_host";
        proxy_hide_header etag;
        proxy_hide_header x-amz-id-2;
        proxy_hide_header x-amz-request-id;
        proxy_hide_header x-amz-meta-server-side-encryption;
        proxy_hide_header x-amz-server-side-encryption;
        proxy_pass $redirect_uri;

        add_header x-internal-redirect "$redirect_uri";
        add_header x-cache-control "$redirect_cache_control";
        add_header cache-control "$redirect_cache_control";
        add_header content-type "$real_mtype";
    }

    location /assets {
        proxy_pass http://localhost:6060/assets;
        recursive_error_pages on;
        proxy_intercept_errors on;
        error_page 301 302 307 = @handle_redirect;
    }

    location /internal/assets {
        internal;
        alias /var/lib/penpot;
        add_header x-internal-redirect "$upstream_http_x_accel_redirect";
    }

    location /api/export {
	proxy_pass http://localhost:6061;
    }

    location /api {
	proxy_pass http://localhost:6060/api;
    }

    location /readyz {
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:6060$request_uri;
    }

    location /ws/notifications {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_pass http://localhost:6060/ws/notifications;
    }

    location / {
        location ~ ^/github/penpot-files/(?<template_file>[a-zA-Z0-9\-\_\.]+) {
            proxy_pass https://raw.githubusercontent.com/penpot/penpot-files/main/$template_file;
            proxy_hide_header Access-Control-Allow-Origin;
            proxy_set_header User-Agent "curl/7.74.0";
            proxy_set_header Host "raw.githubusercontent.com";
            proxy_set_header Accept "*/*";
            add_header Access-Control-Allow-Origin $http_origin;
            proxy_buffering off;
        }

        location ~ ^/internal/gfonts/font/(?<font_file>.+) {
            proxy_pass https://fonts.gstatic.com/s/$font_file;

            proxy_hide_header Access-Control-Allow-Origin;
            proxy_hide_header Cross-Origin-Resource-Policy;
            proxy_hide_header Link;
            proxy_hide_header Alt-Svc;
            proxy_hide_header Cache-Control;
            proxy_hide_header Expires;
            proxy_hide_header Cross-Origin-Opener-Policy;
            proxy_hide_header Report-To;

            proxy_ignore_headers Set-Cookie Vary Cache-Control Expires;

            proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36";
            proxy_set_header Host "fonts.gstatic.com";
            proxy_set_header Accept "*/*";

            # proxy_cache penpot;

            add_header Access-Control-Allow-Origin $http_origin;
            add_header Cache-Control max-age=86400;
            add_header X-Cache-Status $upstream_cache_status;
        }

        location ~ ^/internal/gfonts/css {
            proxy_pass https://fonts.googleapis.com/css?$args;
            proxy_hide_header Access-Control-Allow-Origin;
            proxy_hide_header Cross-Origin-Resource-Policy;
            proxy_hide_header Link;
            proxy_hide_header Alt-Svc;
            proxy_hide_header Cache-Control;
            proxy_hide_header Expires;

            proxy_ignore_headers Set-Cookie Vary Cache-Control Expires;

            proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36";
            proxy_set_header Host "fonts.googleapis.com";
            proxy_set_header Accept "*/*";

            # proxy_cache penpot;

            add_header Access-Control-Allow-Origin $http_origin;
            add_header Cache-Control max-age=86400;
            add_header X-Cache-Status $upstream_cache_status;
        }

        location ~ ^/js/config.js$ {
            add_header Cache-Control "no-store, no-cache, max-age=0" always;
        }

        location ~* \.(js|css|jpg|svg|png)$ {
            add_header Cache-Control "max-age=604800" always; # 7 days
        }

        location ~ ^/(/|css|fonts|images|js|wasm) {
        }

        location ~ ^/[^/]+/(.*)$ {
            return 301 " /404";
        }

        add_header Last-Modified $date_gmt;
        add_header Cache-Control "no-store, no-cache, max-age=0" always;
        if_modified_since off;
        try_files $uri /index.html$is_args$args /index.html =404;
    }
}