# change backend redirects (http -> https) 
proxy_redirect     http://example.com https://example.com;

# proxy host, real IP address, etc. for backend
# Accept-Encoding is set to "" because in my case content is gzipped, but I need to apply subs_filter directives
proxy_set_header   Host             $host;
proxy_set_header   X-Real-IP        $remote_addr;
proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
proxy_set_header   Accept-Encoding  "";

proxy_buffering    on;
proxy_buffer_size  128k;
proxy_buffers 100  128k;

# replace content received from backend
# I'm replacing all http: to https:
subs_filter_types application/json; # to replace json also
subs_filter "http:" "https:" gi;
# inject some Javascript, for example
subs_filter "</body>" "<script type=\"text/javascript\" src=\"//example.com/hack.js\"></script></body>";
# output cache status element, I'm hidding it afterwards, but my injected Javascript uses this data
subs_filter "</body>" "<div id='cache-status'>$upstream_cache_status</div></body>";

# setup cache zone
proxy_cache cache;
# cache all pages from backend, ignore headers. This headers prevents caching. Be carefull with it.
proxy_ignore_headers Cache-Control Expires;
# Bypass page cache if header "SECRET_HEADER 1" was sent to Nginx
proxy_cache_bypass $http_secret_header;
# Service information, adds header with page cache status (MISS, HIT, BYPASS, etc.)
add_header X-Cache-Status $upstream_cache_status;