nginx.conf

daemon off;

error_log stderr;
events { worker_connections 1024; }

http {
  log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';
  access_log /dev/stdout cloudfoundry;
  default_type application/octet-stream;
  include mime.types;
  sendfile on;

  gzip on;
  gzip_disable "msie6";
  gzip_comp_level 6;
  gzip_min_length 1100;
  gzip_buffers 16 8k;
  gzip_proxied any;
  gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/xml+rss;

  tcp_nopush on;
  keepalive_timeout 30;
  port_in_redirect off; # Ensure that redirects don't include the internal container port
  server_tokens off;

  map $http_origin $allow_origin {
    ~^(http(s)?:\/\/)?(.*)?\.app\.cloud\.gov$ $http_origin;
  }
  map $http_origin $allow_methods {
    ~^(http(s)?:\/\/)?(.*)?\.app\.cloud\.gov$ "OPTIONS, HEAD, GET";
  }

  server {
    listen {{port}};
    server_name localhost;

    # Proxy requests to the DAP API and use an API key which is provided upon
    # server deployment.
    location ~* ^/api/(.*) {
      set $path                  '$1';
      set $querystring           '$is_args$args';
      gunzip                     on;
      # The {{nameservers}} is interpolated by the NGINX cloud foundry buildpack
      # When the domain resolves to an IPv6 address, NGINX has an internal error
      # and returns a 500 response. Disable IPv6, TODO: determine the cause for
      # failures in IPv6.
      resolver                   {{nameservers}} ipv6=off valid=300s;
      proxy_http_version         1.1;
      proxy_buffering            on;
      proxy_intercept_errors     off;
      proxy_ssl_server_name      on;

      # Set headers on the proxied request to the API
      proxy_set_header           Authorization '';
      proxy_set_header           api-data-gov-secret {{env "API_DATA_GOV_SECRET" }};
      proxy_hide_header          Access-Control-Allow-Origin;

      # Set headers on the response returned to the API client
      add_header                 Access-Control-Allow-Origin $allow_origin;
      add_header                 Access-Control-Allow-Methods $allow_methods;
      add_header                 Cache-Control no-store;
      add_header                 Pragma "no-cache";

      # Hard code API version 1.1 because that's the only version which is
      # currently needed.
      proxy_pass                 https://{{env "API_FQDN"}}:{{env "API_PORT"}}/v1.1/$path$querystring;
    }

    # Proxy requests for the data route to the application's S3 bucket which
    # contains reports populated by analytics-reporter.
    # Note: .+ instead of .*
    # this is to allow /data/ to pass through untouched
    location ~* ^/data/(.+) {
      set $url_full         '$1';
      gunzip on;
      proxy_http_version     1.1;
      proxy_set_header       Authorization '';
      proxy_hide_header      x-amz-id-2;
      proxy_hide_header      x-amz-request-id;
      proxy_hide_header      Set-Cookie;
      proxy_ignore_headers   "Set-Cookie";
      proxy_buffering        off;
      proxy_intercept_errors on;

      resolver               8.8.8.8 valid=300s;

      add_header             Cache-Control "no-cache";
      add_header             Content-Security-Policy "default-src 'self'; script-src 'self' https://dap.digitalgov.gov https://www.google-analytics.com https://www.googletagmanager.com https://touchpoints.app.cloud.gov; connect-src 'self' https://www.google-analytics.com https://touchpoints.app.cloud.gov; img-src 'self' https://touchpoints.app.cloud.gov https://cg-1b082c1b-3db7-477f-9ca5-bd51a786b41e.s3-us-gov-west-1.amazonaws.com; form-action https://www.google.com; frame-ancestors 'none';" always;
      add_header             Permissions-Policy "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=(), payment=()" always;
      add_header             Pragma "no-cache";
      add_header             Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header             X-Content-Type-Options "nosniff" always;

      proxy_hide_header      Access-Control-Allow-Origin;
      add_header             Access-Control-Allow-Origin $allow_origin;
      add_header             Access-Control-Allow-Methods $allow_methods;
      proxy_pass             {{env "S3_BUCKET_URL"}}/data/$url_full;
    }

    location / {
      root /home/vcap/app/_site;
      index index.html index.htm Default.htm;

      autoindex on;

      #auth_basic "Restricted";                        #For Basic Auth
      #auth_basic_user_file /home/vcap/app/.htpasswd;  #For Basic Auth

      if ($http_x_forwarded_proto != "https") {
        return 301 https://$host$request_uri;
      }

      add_header Cache-Control "max-age=60";
      # Touchpoints and S3 domains are added to the CSP support touchpoints JS
      # code which dynamically adds HTML with images and references JS on the
      # touchpoints server.
      add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://dap.digitalgov.gov https://www.google-analytics.com https://www.googletagmanager.com https://touchpoints.app.cloud.gov; connect-src 'self' https://www.google-analytics.com https://touchpoints.app.cloud.gov; img-src 'self' https://touchpoints.app.cloud.gov https://cg-1b082c1b-3db7-477f-9ca5-bd51a786b41e.s3-us-gov-west-1.amazonaws.com; form-action https://www.google.com; frame-ancestors 'none';" always;
      add_header Permissions-Policy "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=(), payment=()" always;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header X-Content-Type-Options "nosniff" always;
      try_files $uri $uri/index.html $uri/ =404;
    }

    location =/developers {
      add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://dap.digitalgov.gov https://www.google-analytics.com https://www.googletagmanager.com https://touchpoints.app.cloud.gov; connect-src 'self' https://www.google-analytics.com https://touchpoints.app.cloud.gov; img-src 'self' https://touchpoints.app.cloud.gov https://cg-1b082c1b-3db7-477f-9ca5-bd51a786b41e.s3-us-gov-west-1.amazonaws.com; form-action 'none'; frame-ancestors 'none';" always;
      add_header Permissions-Policy "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=(), payment=()" always;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header X-Content-Type-Options "nosniff" always;
      return 302 https://open.gsa.gov/api/dap/;
    }

    location =/developer {
      add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://dap.digitalgov.gov https://www.google-analytics.com https://www.googletagmanager.com https://touchpoints.app.cloud.gov; connect-src 'self' https://www.google-analytics.com https://touchpoints.app.cloud.gov; img-src 'self' https://touchpoints.app.cloud.gov https://cg-1b082c1b-3db7-477f-9ca5-bd51a786b41e.s3-us-gov-west-1.amazonaws.com; form-action 'none'; frame-ancestors 'none';" always;
      add_header Permissions-Policy "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=(), payment=()" always;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header X-Content-Type-Options "nosniff" always;
      return 302 https://open.gsa.gov/api/dap/;
    }
  }
}