From 5e45d8f3bc10c8194405ad0ec1273aed2466120f Mon Sep 17 00:00:00 2001
From: wiz <j@wiz.biz>
Date: Sat, 18 Nov 2023 12:19:48 +0900
Subject: [PATCH 1/4] ops: Set nginx no-cache headers for
 /api/v1/services/account

---
 production/nginx/location-api-v1-services.conf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/production/nginx/location-api-v1-services.conf b/production/nginx/location-api-v1-services.conf
index 4759fe1ec..813807bb0 100644
--- a/production/nginx/location-api-v1-services.conf
+++ b/production/nginx/location-api-v1-services.conf
@@ -1,3 +1,15 @@
+location /api/v1/services/account {
+	proxy_pass $mempoolSpaceServices;
+	expires -1;
+	add_header 'Pragma' 'no-cache';
+	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Expires;
+	proxy_hide_header onion-location;
+	proxy_hide_header strict-transport-security;
+	proxy_hide_header content-security-policy;
+	proxy_hide_header x-frame-options;
+}
 location /api/v1/services {
 	proxy_pass $mempoolSpaceServices;
 	proxy_cache services;

From 82a43e25e0dd0020a96e42cc109885befd6ae29d Mon Sep 17 00:00:00 2001
From: wiz <j@wiz.biz>
Date: Sat, 18 Nov 2023 12:40:39 +0900
Subject: [PATCH 2/4] ops: Set nginx no-cache headers for /api/v1/services/auth

---
 production/nginx/location-api-v1-services.conf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/production/nginx/location-api-v1-services.conf b/production/nginx/location-api-v1-services.conf
index 813807bb0..f35205041 100644
--- a/production/nginx/location-api-v1-services.conf
+++ b/production/nginx/location-api-v1-services.conf
@@ -10,6 +10,18 @@ location /api/v1/services/account {
 	proxy_hide_header content-security-policy;
 	proxy_hide_header x-frame-options;
 }
+location /api/v1/services/auth {
+	proxy_pass $mempoolSpaceServices;
+	expires -1;
+	add_header 'Pragma' 'no-cache';
+	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Expires;
+	proxy_hide_header onion-location;
+	proxy_hide_header strict-transport-security;
+	proxy_hide_header content-security-policy;
+	proxy_hide_header x-frame-options;
+}
 location /api/v1/services {
 	proxy_pass $mempoolSpaceServices;
 	proxy_cache services;

From 407049258470c10d48abe54261b3cebc74e63060 Mon Sep 17 00:00:00 2001
From: wiz <j@wiz.biz>
Date: Sat, 18 Nov 2023 13:22:17 +0900
Subject: [PATCH 3/4] ops: Set nginx to ignore Pragma header for no-cache
 endpoints

---
 production/nginx/location-api-v1-services.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/production/nginx/location-api-v1-services.conf b/production/nginx/location-api-v1-services.conf
index f35205041..d3f233da8 100644
--- a/production/nginx/location-api-v1-services.conf
+++ b/production/nginx/location-api-v1-services.conf
@@ -5,6 +5,7 @@ location /api/v1/services/account {
 	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
 	proxy_hide_header Cache-Control;
 	proxy_hide_header Expires;
+	proxy_hide_header Pragma;
 	proxy_hide_header onion-location;
 	proxy_hide_header strict-transport-security;
 	proxy_hide_header content-security-policy;
@@ -17,6 +18,7 @@ location /api/v1/services/auth {
 	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
 	proxy_hide_header Cache-Control;
 	proxy_hide_header Expires;
+	proxy_hide_header Pragma;
 	proxy_hide_header onion-location;
 	proxy_hide_header strict-transport-security;
 	proxy_hide_header content-security-policy;

From 2c820f1cc0e67b571470c48c9782bf125b27f50e Mon Sep 17 00:00:00 2001
From: wiz <j@wiz.biz>
Date: Sat, 18 Nov 2023 15:09:02 +0900
Subject: [PATCH 4/4] ops: Rewrite nginx config for new services API endpoints

---
 .../nginx/location-api-v1-services.conf       | 252 ++++++++++--------
 production/nginx/location-api.conf            |   4 +-
 2 files changed, 146 insertions(+), 110 deletions(-)

diff --git a/production/nginx/location-api-v1-services.conf b/production/nginx/location-api-v1-services.conf
index d3f233da8..3efff38e4 100644
--- a/production/nginx/location-api-v1-services.conf
+++ b/production/nginx/location-api-v1-services.conf
@@ -1,122 +1,158 @@
-location /api/v1/services/account {
-	proxy_pass $mempoolSpaceServices;
-	expires -1;
-	add_header 'Pragma' 'no-cache';
-	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-	proxy_hide_header Cache-Control;
-	proxy_hide_header Expires;
-	proxy_hide_header Pragma;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
-}
-location /api/v1/services/auth {
-	proxy_pass $mempoolSpaceServices;
-	expires -1;
-	add_header 'Pragma' 'no-cache';
-	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-	proxy_hide_header Cache-Control;
-	proxy_hide_header Expires;
-	proxy_hide_header Pragma;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
-}
-location /api/v1/services {
-	proxy_pass $mempoolSpaceServices;
-	proxy_cache services;
-	proxy_cache_background_update on;
-	proxy_cache_use_stale updating;
-	proxy_cache_valid 200 1d;
-	expires 1d;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
-}
-location /api/v1/contributors/images {
-	proxy_pass $mempoolSpaceServices;
-	proxy_cache services;
-	proxy_cache_background_update on;
-	proxy_cache_use_stale updating;
-	proxy_cache_valid 200 1w;
-	expires 1w;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
+###########
+# routing #
+###########
+
+location /api/v1/assets {
+	try_files /dev/null @mempool-api-v1-services-cache-short;
 }
 location /api/v1/contributors {
-	proxy_pass $mempoolSpaceServices;
-	proxy_cache services;
-	proxy_cache_background_update on;
-	proxy_cache_use_stale updating;
-	proxy_cache_valid 200 1d;
-	expires 1d;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
+	try_files /dev/null @mempool-api-v1-services-cache-medium;
 }
-location /api/v1/donations/images {
-	proxy_pass $mempoolSpaceServices;
-	proxy_cache services;
-	proxy_cache_background_update on;
-	proxy_cache_use_stale updating;
-	proxy_cache_valid 200 1w;
-	expires 1w;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
+location /api/v1/contributors/images {
+	try_files /dev/null @mempool-api-v1-services-cache-long;
 }
 location /api/v1/donations {
-	proxy_pass $mempoolSpaceServices;
-	proxy_cache services;
-	proxy_cache_background_update on;
-	proxy_cache_use_stale updating;
-	proxy_cache_valid 200 1d;
-	expires 1d;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
+	try_files /dev/null @mempool-api-v1-services-cache-medium;
 }
-location /api/v1/translators/images {
-	proxy_pass $mempoolSpaceServices;
-	proxy_cache services;
-	proxy_cache_background_update on;
-	proxy_cache_use_stale updating;
-	proxy_cache_valid 200 1w;
-	expires 1w;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
+location /api/v1/donations/images {
+	try_files /dev/null @mempool-api-v1-services-cache-long;
 }
 location /api/v1/translators {
+	try_files /dev/null @mempool-api-v1-services-cache-medium;
+}
+location /api/v1/translators/images {
+	try_files /dev/null @mempool-api-v1-services-cache-long;
+}
+location /api/v1/services/internal/ {
+	return 403;
+}
+location /api/v1/services/ {
+	try_files /dev/null @mempool-api-v1-services-cache-disabled;
+}
+
+###########
+# caching #
+###########
+
+location @mempool-api-v1-services-cache-disabled {
+	proxy_pass $mempoolSpaceServices;
+
+	# remove these just in case double proxied
+	proxy_hide_header Onion-Location;
+	proxy_hide_header Strict-Transport-Security;
+	proxy_hide_header Content-Security-Policy;
+	proxy_hide_header X-Frame-Options;
+
+	# remove cache headers from services backend
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Expires;
+	proxy_hide_header Pragma;
+
+	# pass these headers to services backend
+	proxy_set_header Host $host;
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-Proto $scheme;
+
+	# add our own cache headers
+	add_header 'Pragma' 'no-cache';
+	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
+	proxy_redirect off;
+	proxy_buffering off;
+
+	expires -1;
+}
+
+location @mempool-api-v1-services-cache-short {
 	proxy_pass $mempoolSpaceServices;
 	proxy_cache services;
-	proxy_cache_background_update on;
-	proxy_cache_use_stale updating;
-	proxy_cache_valid 200 1d;
-	expires 1d;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
+	proxy_redirect off;
+
+	# remove these just in case double proxied
+	proxy_hide_header Onion-Location;
+	proxy_hide_header Strict-Transport-Security;
+	proxy_hide_header Content-Security-Policy;
+	proxy_hide_header X-Frame-Options;
+
+	# pass these headers to services backend
+	proxy_set_header Host $host;
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-Proto $scheme;
+
+	# remove cache headers from services backend
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Expires;
+	proxy_hide_header Pragma;
+
+	# add our own cache headers
+	add_header 'Pragma' 'public';
+	add_header 'Cache-Control' 'public';
+	expires 2s;
+
+	# server-side cache validity
+	proxy_cache_valid 200 2s;
 }
-location /api/v1/assets {
+
+location @mempool-api-v1-services-cache-medium {
 	proxy_pass $mempoolSpaceServices;
 	proxy_cache services;
-	proxy_cache_background_update on;
-	proxy_cache_use_stale updating;
-	proxy_cache_valid 200 10m;
-	expires 10m;
-	proxy_hide_header onion-location;
-	proxy_hide_header strict-transport-security;
-	proxy_hide_header content-security-policy;
-	proxy_hide_header x-frame-options;
+	proxy_redirect off;
+
+	# remove these just in case double proxied
+	proxy_hide_header Onion-Location;
+	proxy_hide_header Strict-Transport-Security;
+	proxy_hide_header Content-Security-Policy;
+	proxy_hide_header X-Frame-Options;
+
+	# pass these headers to services backend
+	proxy_set_header Host $host;
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-Proto $scheme;
+
+	# remove cache headers from services backend
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Expires;
+	proxy_hide_header Pragma;
+
+	# add our own cache headers
+	add_header 'Pragma' 'public';
+	add_header 'Cache-Control' 'public';
+	expires 7d;
+
+	# server-side cache validity
+	proxy_cache_valid 200 7d;
+}
+
+location @mempool-api-v1-services-cache-long {
+	proxy_pass $mempoolSpaceServices;
+	proxy_cache services;
+	proxy_redirect off;
+
+	# remove these just in case double proxied
+	proxy_hide_header Onion-Location;
+	proxy_hide_header Strict-Transport-Security;
+	proxy_hide_header Content-Security-Policy;
+	proxy_hide_header X-Frame-Options;
+
+	# pass these headers to services backend
+	proxy_set_header Host $host;
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-Proto $scheme;
+
+	# remove cache headers from services backend
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Expires;
+	proxy_hide_header Pragma;
+
+	# add our own cache headers
+	add_header 'Pragma' 'public';
+	add_header 'Cache-Control' 'public';
+	expires 30d;
+
+	# server-side cache validity
+	proxy_cache_valid 200 30d;
 }
diff --git a/production/nginx/location-api.conf b/production/nginx/location-api.conf
index 71afa295a..b8c79cd50 100644
--- a/production/nginx/location-api.conf
+++ b/production/nginx/location-api.conf
@@ -4,10 +4,10 @@
 
 # Block the internal APIs of esplora
 location /api/internal/ {
-	return 404;
+	return 403;
 }
 location /api/v1/internal/ {
-	return 404;
+	return 403;
 }
 
 # websocket has special HTTP headers