safe.conf

# optional, we will cache images for a certain time
proxy_cache_path      /tmp/cache levels=1:2 keys_zone=embed:30m max_size=1g inactive=24h use_temp_path=off;

# optional - ssl
# disable, if not in use
proxy_ssl_server_name on;
proxy_ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

server {
	listen              80;
	listen              443 default ssl;
	resolver            8.8.8.8;
	merge_slashes       off;
	error_log           /var/log/nginx/safe.error.log warn;
	access_log          /var/log/nginx/safe.access.log;

	ssl                 on;
	ssl_certificate     /etc/letsencrypt/live/safe.mydomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/safe.mydomain.com/privkey.pem;

	server_name safe.mydomain.com;

	location / {
		rewrite ^/(.*) $1 break;
		return 400; #if the rewrite won't match

		proxy_cache embed;
		proxy_cache_valid 1d;
		proxy_cache_use_stale  error timeout invalid_header updating
                                   http_500 http_502 http_503 http_504;

		expires 1M;

		proxy_set_header  Referer  $arg_img;
		proxy_set_header  "User-Agent" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36";

		more_set_headers "Cache-Control" "public";
		more_clear_headers "Pragma";
		more_clear_headers "Content-disposition";
		
		# we don't want any redirect to anywhere - they could be unsafe
		more_clear_headers  Location;
		proxy_redirect off;

		proxy_pass $uri;
	}
}

Note that this uses more_set_headers and this is how we compile nginx with the said module (the module needs to be compiled in if it is used):

#!/bin/sh

apt-get install -y libpcre3-dev libssl-dev

NGINX_VERSION=1.11.8
MORE_VERSION=0.32

mkdir /tmp/nginx
cd /tmp/nginx
rm -f nginx-${NGINX_VERSION}.tar.gz
rm -f v${MORE_VERSION}.tar.gz
wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
wget https://github.com/openresty/headers-more-nginx-module/archive/v${MORE_VERSION}.tar.gz
rm -rf nginx-${NGINX_VERSION}
rm -rf headers-more-nginx-module-${MORE_VERSION}
tar -xzvf nginx-${NGINX_VERSION}.tar.gz
tar -xzvf v${MORE_VERSION}.tar.gz
cd nginx-${NGINX_VERSION}
useradd -r nginx

./configure \
--user=nginx                          \
--group=nginx                         \
--prefix=/etc/nginx                   \
--sbin-path=/usr/sbin/nginx           \
--conf-path=/etc/nginx/nginx.conf     \
--pid-path=/var/run/nginx.pid         \
--lock-path=/var/run/nginx.lock       \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module        \
--with-http_stub_status_module        \
--with-http_ssl_module                \
--with-pcre                           \
--with-file-aio                       \
--with-http_realip_module             \
--without-http_scgi_module            \
--without-http_uwsgi_module           \
--without-http_fastcgi_module         \
--add-module=/tmp/nginx/headers-more-nginx-module-${MORE_VERSION}

make
make install