nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] $upstream_cache_status "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    proxy_cache_path /var/cache/fdroid levels=1:2 keys_zone=fdroid_cache:10m max_size=12g
                 inactive=24h use_temp_path=off;


    map $request_uri $max_age {
    default             600;    # 10 min default (for html and the index files)
    ~^/assets/          43200;  # 12 hours for website assets
    ~^/js/              43200;
    ~^/css/             43200;
    ~^/FDroid.apk           86400;  # 1 day for the F-Droid apk
    ~^/repo/icons.*\.\d+\.png   604800; # 1 week for repo files with version number in name
    ~^/repo/.*\.apk$        604800;
    ~^/repo/.*\.apk.asc$        604800;
    ~^/repo/.*\.tar.gz$     604800;
    ~^/repo/.*/icon.png$        86400;  # 1 day for icons and screenshots without version number
    ~^/repo/.*/phoneScreenshots/    86400;
    }

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  fdroidmirror.net;
        root         /usr/share/nginx/html;
        location /   {return 301 https://$server_name$uri;}
        location /.well-known/ {default_type "text/plain";}
    }

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  fdroidmirror.net;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/acme/fdroidmirror.net/ec.crt";
        ssl_certificate_key "/etc/acme/fdroidmirror.net/ec.key";
        ssl_certificate "/etc/acme/fdroidmirror.net/rsa.crt";
        ssl_certificate_key "/etc/acme/fdroidmirror.net/rsa.key";

    # https://www.nginx.com/blog/nginx-caching-guide/
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;

        ssl_ciphers "HIGH+kECDHE:-SSLv3:-SHA256:-SHA384:DES-CBC3-SHA:@STRENGTH";
        ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_early_data on;

        proxy_cache fdroid_cache;
    # Cache key is just the uri, without any arguments
    proxy_cache_key $uri;

    # Revalidation of expired cache items using conditional requests.
    proxy_cache_revalidate on;

    # May use stale response
    #proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    proxy_cache_use_stale error timeout updating http_500 http_503;

    # Allows starting a background subrequest to update an expired cache item,
    # while a stale cached response is returned to the client.
    proxy_cache_background_update on;

    # Only one request at a time to origin server per element
    # Other request wait.
    proxy_cache_lock on;
    proxy_cache_lock_age 10s;
    proxy_cache_lock_timeout 20s;

    proxy_cache_valid 200 302 10m;
    proxy_cache_valid 301      1h;
    proxy_cache_valid 404      5m;
    proxy_cache_valid any      1m;

    autoindex off;

    # Strip arguments from request to reduce possible attack vectors.
    # We serve static content only, we do not want arguments.