Thank you for your suggestion. I understand about the DoS issue. proxy_cache_bypass indeed is the solution. Documentation was not clear about it, but the result is written to cache. The cache is only bypassed in the lookup fase, not in the write back fase.
I worked out this bit of configuration. The added header is very useful while testing, I'd remove it in production.
location / {
if ($http_cache_control = "no-cache") {
set $ctrl_Ffive_ed "yes";
}
proxy_cache_bypass $ctrl_Ffive_ed;
add_header X-cache-bypass $ctrl_Ffive_ed;
...other config...
}