Using an nginx proxy with cache in front of Wasabi to minimize egress costs

example.conf

proxy_cache_path /tmp/cache levels=1:2 keys_zone=s3_cache:10m max_size=15g inactive=24h use_temp_path=off;

server {
  listen 443 ssl;
  server_name files.example.com;
  keepalive_timeout 30;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

  location = / {
    index index.html;
  }

  location / {
    try_files $uri @wasabi;
  }

  set $backend "http://s3.wasabisys.com:80";

  location @wasabi {
    resolver 8.8.8.8; # This is Google's DNS server... You could use any, it's needed to get an IP for s3.wasabisys.com inside nginx
    proxy_set_header Host 's3.wasabisys.com';
    proxy_hide_header Set-Cookie;
    proxy_ignore_headers Set-Cookie;
    proxy_pass $backend/files.example.com$uri; # files.example.com is the bucket name
    proxy_intercept_errors on;

    proxy_cache s3_cache;
    proxy_cache_valid 200 7d;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    proxy_cache_lock on; # This is the important bit: simultaneous requests for the same file in Wasabi do not hit Wasabi
    proxy_cache_bypass $http_secret_header; # Manual cache busting for debugging

    expires 1y;
    
    add_header Cache-Control public;
    add_header ETag '';
    add_header 'Access-Control-Allow-Origin'  '*';
    add_header 'Access-Control-Allow-Methods' 'GET';
    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    add_header X-Cache-Status $upstream_cache_status;
  }

  ssl_certificate /etc/letsencrypt/live/files.example.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/files.example.com/privkey.pem; # managed by Certbot
}