## Nginx rules to cache the desktop static resouces.

# desktop home page URL without any webappname
# Note : this to load https://fqdn:port 
location = / {
    limit_except GET OPTIONS { deny all; }
    proxy_pass $scheme://$backend;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

# Bypass cache for j_security_check and j_identity_check. allow only POST
location ~ ^/desktop/(j_security_check|j_identity_check|container/landing.jsp|container/index.jsp|container)(/)?$ {
    limit_except POST GET OPTIONS { deny all; }
    limit_req zone=jspzone burst=5 nodelay;
    proxy_pass $scheme://$backend;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ ^/desktop(/container|/logout.jsp|/invalidate)?(/)?$ {
    limit_except GET OPTIONS { deny all; }
    limit_req zone=jspzone burst=5 nodelay;
    proxy_pass $scheme://$backend;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

# desktop home page URLs
location ~ ^/desktop(/resources/ping.txt|/security)?(/)?$ {
    limit_except GET OPTIONS { deny all; }
    proxy_pass $scheme://$backend;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

# To cache /desktop/container/GadgetsI18n.jsp output in reverse proxy, it revalidates with upstream ever 2 mintues.
location ^~ /desktop/container/GadgetsI18n.jsp {
    proxy_pass $scheme://$backend;
    # Bypass cache if referrer contains bypassServerCache or nocache
    proxy_cache_bypass $cb_bypassServerCache_or_nocache_in_referer_header;
    proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
    # Cache key will retain query params as query params contains
    # info for language and country
    proxy_cache_key "$request_uri $http_accept_language";
    proxy_cache $desktop_cache;
    add_header X-ReverseProxy-Cache-Status $upstream_cache_status;
    proxy_cache_revalidate on;
    proxy_cache_valid 200 302 2m;
    add_header Cache-Control "must-revalidate";
    etag on;
}

# To cache /desktop/api/i18n and app-config output in reverse proxy, it revalidates with upstream ever 2 mintues.
location ~ ^/desktop/api/app-config(/)?$ {
    # logic to block invalid urls from desktop webapp. 
    # if the uri path requested is not present in desktop webapp then 404 is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorised_desktop_resources.lua;
    proxy_pass $scheme://$backend;
    proxy_cache_bypass $cb_bypassServerCache_or_nocache_in_referer_header;
    # Cache key will not have query params as that can lead to cache misses depending on trivial
    # query params like nocache/_=<timestamp>.
    proxy_cache_key "$uri";
    proxy_cache $desktop_cache;
    add_header X-ReverseProxy-Cache-Status $upstream_cache_status;
    proxy_cache_revalidate on;
    proxy_cache_valid 200 302 2m;
    add_header Cache-Control "must-revalidate";
    # The proxy_ignore_headers directive in Nginx allows you to specify which response headers from the proxied server should be ignored by Nginx. 
    # If you list headers such as Set-Cookie, Cache-Control, Expires, or X-Accel-Expires, Nginx will not process them, even if they are present in the response from the upstream server.
    proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
    etag on;
}

location ~ "^/desktop/api/i18n/[a-z]{2}(_[A-Z]{2})?(/)?$" {
    # logic to block invalid urls from desktop webapp. 
    # if the uri path requested is not present in desktop webapp then 404 is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorised_desktop_resources.lua;
    proxy_pass $scheme://$backend;
    proxy_cache_bypass $cb_bypassServerCache_or_nocache_in_referer_header;
    # Cache key will not have query params as that can lead to cache misses depending on trivial
    # query params like nocache/_=<timestamp>.
    proxy_cache_key "$uri";
    proxy_cache $desktop_cache;
    add_header X-ReverseProxy-Cache-Status $upstream_cache_status;
    proxy_cache_revalidate on;
    proxy_cache_valid 200 302 2m;
    add_header Cache-Control "must-revalidate";
    # The proxy_ignore_headers directive in Nginx allows you to specify which response headers from the proxied server should be ignored by Nginx. 
    # If you list headers such as Set-Cookie, Cache-Control, Expires, or X-Accel-Expires, Nginx will not process them, even if they are present in the response from the upstream server.
    proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
    etag on;
}

# To cache static fonts,icons,images,css,js and html in reverse proxy, it revalidates with upstream ever 2 mintues. 
location  ~ ^(/desktop/).*\.(woff|woff2|svg|jpg|jpeg|gif|png|css|ico|js|html|js\.jsp)$ {
	# logic to block invalid urls from desktop webapp. 
	# if the uri path requested is not present in desktop webapp then 404 is returned.
	rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorised_desktop_resources.lua;
    # rate limiting defined for fetching static pages during login/refresh/failover
    limit_req zone=finesseratelimit burst=${NGX_FIN_DESKTOP_REQUEST_BURST_LIMIT} nodelay;
    proxy_pass $scheme://$backend;
    proxy_cache_bypass $cb_bypassServerCache_or_nocache_in_referer_header;
    # Cache key will not have query params as that can lead to cache misses depending on trivial
    # query params like nocache/_=<timestamp>. Static files nocache parameter changes on every tomcat
    # restart.
    proxy_cache_key "$uri";
    proxy_cache $desktop_cache;
    #expires 30d;
    add_header X-ReverseProxy-Cache-Status $upstream_cache_status;
    # removing Last-Modified reponse header, as chrome doesn't support if-modified-since header
    add_header Last-Modified "";
    proxy_cache_revalidate on;
    proxy_cache_valid 200 302 5m;
    proxy_cache_use_stale updating;
    add_header Cache-Control "must-revalidate";
    # The proxy_ignore_headers directive in Nginx allows you to specify which response headers from the proxied server should be ignored by Nginx. 
    # If you list headers such as Set-Cookie, Cache-Control, Expires, or X-Accel-Expires, Nginx will not process them, even if they are present in the response from the upstream server.
    proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
    etag on;
}

location ~ ^/desktop/api/(Languages|DesktopConfig|themes)(/)?$ {
	proxy_pass $scheme://$backend;
    # Bypass cache if referrer contains bypassServerCache or nocache
    proxy_cache_bypass $cb_bypassServerCache_in_query_param;
    proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
    # Cache key will retain query params as query params contains
    # info for language and country
    proxy_cache_key "$uri";
    proxy_cache $desktop_cache;
    add_header X-ReverseProxy-Cache-Status $upstream_cache_status;
    proxy_cache_revalidate on;
    proxy_cache_valid 200 302 2m;
    add_header Cache-Control "must-revalidate";
    etag on;
}

location ~ ^/desktop/locallog(.html)?(/)? {
	proxy_pass $scheme://$backend;
    # Bypass cache if referrer contains bypassServerCache or nocache
    proxy_cache_bypass $cb_bypassServerCache_in_query_param;
    proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
    # Cache key will retain query params as query params contains
    # info for language and country
    proxy_cache_key "$uri";
    proxy_cache $desktop_cache;
    add_header X-ReverseProxy-Cache-Status $upstream_cache_status;
    proxy_cache_revalidate on;
    proxy_cache_valid 200 302 2m;
    add_header Cache-Control "must-revalidate";
    etag on;
}


# This location block is to get list of agents configured in backend server
location ~ ^/(desktop/api/ResourceURLs) {
      # Allow access to users api from localhost only
      # Usually called from lua scripts
      if ($is_accessed_locally = "false") { return 403; }

      proxy_pass $scheme://$backend;

      proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
      proxy_cache_methods GET;
      proxy_cache_key "$uri$is_args$args";
      
      proxy_cache $desktop_cache;

      proxy_cache_revalidate on;
      proxy_cache_valid 200 302 3m;
      add_header Cache-Control "must-revalidate";

      add_header X-ReverseProxy-Cache-Status $upstream_cache_status;
}

# This location block will capture all the 3rd party gadget
location ^~ /3rdpartygadget {

      # logic to block invalid urls from 3rdpartygadet webapp. 
      # if the uri path requested for 3rdpartygadget is not present, then 401 is returned.
      rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorised_thirdparty_resources.lua;

      # Don't cache backend server responses in proxy
      proxy_pass $scheme://$backend;
      proxy_no_cache 1;
      proxy_cache_bypass 1;
}

location ~ ^/desktop/sso/publickey {

    limit_except GET OPTIONS { deny all; }
    proxy_pass $scheme://$backend;
    proxy_cache_key "$uri";
    proxy_cache_revalidate on;
    proxy_cache_valid 200 5m;
    proxy_cache $desktop_cache;
    add_header X-ReverseProxy-Cache-Status $upstream_cache_status;
    add_header Cache-Control "must-revalidate";
    etag on;

}
