compose/nginx/template/gravatar.conf

server {
    listen      8002;

    # security headers
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }

    # logging
    access_log off;
    error_log  off;

    # reverse proxy
    location /avatar/ {
        if ($arg_r) {
            add_header Content-Type text/plain;
            return 403 "Parameter 'r' is not allowed.";
        }
        if ($arg_rating) {
            add_header Content-Type text/plain;
            return 403 "Parameter 'rating' is not allowed.";
        }
        proxy_pass                         https://gravatar.com;
        proxy_set_header Host              gravatar.com;
        proxy_http_version                 1.1;

        # Proxy headers
        proxy_set_header Referer           https://example.com;
        proxy_set_header User-Agent        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0";
        proxy_set_header X-Real-IP         "";
        proxy_set_header Forwarded         "";
        proxy_set_header X-Forwarded-For   "";
        proxy_set_header X-Forwarded-Proto "";
        proxy_set_header X-Forwarded-Host  "";
        proxy_set_header X-Forwarded-Port  "";

        # Proxy timeouts
        proxy_connect_timeout              60s;
        proxy_send_timeout                 60s;
        proxy_read_timeout                 60s;
    }

    location / {
        return 404;
    }

    # favicon.ico
    location = /favicon.ico {
        log_not_found off;
    }

    # robots.txt
    location = /robots.txt {
        log_not_found off;
        add_header Content-Type text/plain;
        return 200 "Allow: /\n";
    }

    # gzip
    gzip            on;
    gzip_vary       on;
    gzip_proxied    any;
    gzip_comp_level 6;
    gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}