nginx.conf

worker_processes 1;
daemon off;

events { worker_connections 1024; }

http {
  charset utf-8;

  log_format cloudfoundry '$http_user_agent - $host "$request" $status $body_bytes_sent';
  access_log /dev/stdout cloudfoundry;

  include mime.types;
  default_type application/octet-stream;

  sendfile on;

  gzip on;
  gzip_vary on;
  gzip_disable "msie6";
  gzip_comp_level 6;
  gzip_min_length 1100;
  gzip_buffers 16 8k;
  gzip_proxied any;
  gunzip on;
  gzip_static always;
  gzip_types text/plain text/css text/js text/xml
    text/javascript application/javascript application/x-javascript
    application/json application/xml application/xml+rss
    font/ttf font/otf font/x-woff image/svg+xml
    application/vnd.ms-fontobject
    application/ttf application/x-ttf application/otf
    application/x-otf application/truetype application/eot
    application/opentype application/x-opentype application/woff
    application/font application/font-woff woff application/font-sfnt;

  tcp_nopush on;
  keepalive_timeout 30;
  port_in_redirect off; # Ensure that redirects don't include the internal container PORT - {{port}}
  server_tokens off;
  more_clear_headers Server;
  recursive_error_pages on;

  # Cloudfront forwards these but doesn't consider them part of the cache key
  # so drop them before passing to the origin, since responses aren't actually cacheable
  proxy_set_header If-Match "";
  proxy_set_header If-None-Match "";
  proxy_set_header If-Modified-Since "";
  proxy_set_header If-Unmodified-Since "";
  proxy_set_header Range "";
  proxy_set_header If-Range "";
  proxy_set_header x-amz-expected-bucket-owner "";
  proxy_set_header x-amz-security-token "";

  map_hash_max_size 64;
  map_hash_bucket_size 256;
  map $name $sts {
    default "max-age=31536000; preload";
    ~^({{env "INCLUDE_SUBDOMAINS"}})$ "max-age=31536000; preload; includeSubDomains";
  }

  map $name $bucket_url {
    default {{env "DEDICATED_S3_BUCKET_URL"}};
  }

  map $http_user_agent $prefix_path {
    default $full_path;
    "Amazon Cloudfront" $rest;
  }

  map $http_user_agent $robot_header {
    default "none";
    "Amazon Cloudfront" "all";
  }

  server {
    listen {{port}};
    server_name ~^(?<name>.+)\.{{env "DOMAIN"}}$;
    resolver {{env "DNS_RESOLVER"}} valid=60s;
    add_header Strict-Transport-Security $sts always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Server "Cloud.gov Pages" always;
    add_header X-Robots-Tag $robot_header always;
    add_header Access-Control-Allow-Methods "GET, HEAD" always;

    if ($request_method !~ ^(GET|HEAD)$) {
      return 405;
    }

    if ($request_uri ~ "^/((site|preview|demo))/(([^/]+))/(([^/]+))(?<remaining>(.*))$" ) {
        set  $remaining_path  $remaining;
    }

    include redirects.conf;

    location =/health {
      access_log off;
      return 200 "Ok";
    }

    location ~ ^/(?<context>(site|preview|demo))/(?<owner>([^/]+))/(?<repo>([^/]+))(?<rest>(.*))$ {
      # Match paths ending in '/'
      location ~ /$ {
        rewrite ^(.*)$ $1index.html last;
      }

      # Match paths with extensions and possibly query parameters
      location ~ ^/[^/]+/[^/]+/[^/]+/[^?]*\.[^./]+(\?.*)?$ {
        proxy_pass $bucket_url;
        proxy_intercept_errors on;
        error_page 404 403 =404 @notfound;
      }

      # Match paths with backslashes at site root or after
      location ~ ^/[^/]+/[^/]+/[^/]+/.*[\\\]+ {
        rewrite ^(.*)$ @notfound;
      }

      # Match paths with encoded backslashes at site root or after
      location ~ ^/[^/]+/[^/]+/[^/]+/.*%5C.* {
        rewrite ^(.*)$ @notfound;
      }

      location ~ ^/[^/]+/[^/]+/[^/]+/.*%255C.* {
        rewrite ^(.*)$ @notfound;
      }


      # What is left are paths without extensions
      location ~ ^/ {
        absolute_redirect off;
        rewrite ^(?<full_path>(.*))$ $prefix_path/ permanent;
      }
    }

    location @notfound {
      # custom 404 pages are *bucket* specific NOT *branch* specific
      proxy_pass $bucket_url/site/$owner/$repo/404.html;
    }
  }
}