diff --git a/angie.conf b/angie.conf
index e236f60..ba12ae1 100755
--- a/angie.conf
+++ b/angie.conf
@@ -54,6 +54,8 @@ http {
     resolver             127.0.0.1 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 valid=10s status_zone=default_resolver;
     resolver_timeout     2s;
 
+    proxy_cache_path /var/lib/angie/cache/public  levels=1:2 keys_zone=public-cache:100m max_size=2g inactive=12h use_temp_path=off;
+
     # Brotli compression
     brotli on;
     brotli_static on;
@@ -75,6 +77,10 @@ http {
     gzip_min_length 1000;
     gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javasc
 
+    # Proxy timeouts
+    proxy_connect_timeout 60s;
+    proxy_send_timeout 300s;
+    proxy_read_timeout 300s;
 
     # Load configs
     include              /etc/angie/config/upstreams.conf;
diff --git a/sites-available/gitea.linuxiarz.pl.conf b/sites-available/gitea.linuxiarz.pl.conf
index 851598f..c6fa5e5 100644
--- a/sites-available/gitea.linuxiarz.pl.conf
+++ b/sites-available/gitea.linuxiarz.pl.conf
@@ -4,34 +4,94 @@ upstream gitea {
  keepalive 16;
 }
 
-server {
+# limit req
+limit_req_zone $binary_remote_addr zone=gitea_limit:10m rate=10r/s;
 
+server {
     listen 443 quic;
     listen 443 ssl;
     http2 on;
     http3 on;
-    ssl_protocols       TLSv1.3;
+    ssl_protocols TLSv1.3;
     ssl_early_data on;
     add_header Alt-Svc 'h3=":$server_port"; ma=10000';
-    server_name             gitea.linuxiarz.pl;
-    include                 config/wildcard.conf;
-
-    # logging
+    server_name gitea.linuxiarz.pl;
+    include config/wildcard.conf;
+    
+    # Logging
     access_log /var/log/angie/gitea.linuxiarz.pl.access.log;
-    error_log  /var/log/angie/gitea.linuxiarz.pl.error.log warn;
+    error_log /var/log/angie/gitea.linuxiarz.pl.error.log warn;
 
     status_zone gitea.linuxiarz.pl;
 
+    limit_req zone=gitea_limit burst=20 nodelay;
+
+    location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|svg|woff|woff2|ttf|eot)$ {
+        proxy_pass http://gitea;
+        include config/proxy.conf;
+        
+        proxy_cache public-cache;
+        proxy_cache_valid 200 304 30d;
+        proxy_cache_valid 301 302 1h;
+        proxy_cache_valid any 1m;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        proxy_cache_background_update on;
+        proxy_cache_lock on;
+        proxy_cache_revalidate on;
+        
+        add_header Cache-Control "public, max-age=2592000, immutable";
+        add_header X-Cache-Status $upstream_cache_status;
+        expires 30d;
+    }
+
+    location ~ ^/(api|.*\.git) {
+        limit_req zone=gitea_limit burst=5 nodelay;
+        
+        proxy_pass http://gitea;
+        include config/proxy.conf;
+        
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 600s;
+    }
+
+    location ~ ^/(avatars|attachments|repo-avatars) {
+        proxy_pass http://gitea;
+        include config/proxy.conf;
+        
+        proxy_cache public-cache;
+        proxy_cache_valid 200 7d;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        
+        add_header Cache-Control "public, max-age=604800";
+        add_header X-Cache-Status $upstream_cache_status;
+    }
+
     location / {
         proxy_pass http://gitea;
         include config/proxy.conf;
-    }
+        
+        proxy_cache public-cache;
+        proxy_cache_valid 200 5m;
+        proxy_cache_bypass $cookie_i_like_gitea $arg_nocache;
+        proxy_no_cache $cookie_i_like_gitea;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
 
+        add_header X-Cache-Status $upstream_cache_status;
+    }
 }
 
 # HTTP redirect
 server {
-    listen      80;
+    listen 80;
     server_name gitea.linuxiarz.pl;
 
     location / {
diff --git a/sites-available/linuxiarz.pl_new.conf b/sites-available/linuxiarz.pl_new.conf
index db9b0ff..54ed58d 100644
--- a/sites-available/linuxiarz.pl_new.conf
+++ b/sites-available/linuxiarz.pl_new.conf
@@ -10,13 +10,8 @@ upstream redirector_app {
  keepalive 16;
 }
 
-# Cache (jak w oryginale)
-proxy_cache_path /var/cache/angie/redirector
-    levels=1:2
-    keys_zone=redirect_cache:10m
-    max_size=100m
-    inactive=24h
-    use_temp_path=off;
+# limit req
+limit_req_zone $binary_remote_addr zone=linuxiarz_limit:10m rate=10r/s;
 
 # HTTP -> HTTPS + normalizacja do www
 server {
@@ -63,6 +58,9 @@ server {
     error_log  /var/log/angie/linuxiarz.pl.error.log warn;
 
     status_zone www.linuxiarz.pl_frontend;
+
+    limit_req zone=linuxiarz_limit burst=20 nodelay;
+
     # Dozwolone metody
     if ($request_method !~ ^(GET|HEAD|POST)$) {
         return 405;
diff --git a/sites-available/listapp.linuxiarz.pl.conf b/sites-available/listapp.linuxiarz.pl.conf
index dea4a63..076841e 100644
--- a/sites-available/listapp.linuxiarz.pl.conf
+++ b/sites-available/listapp.linuxiarz.pl.conf
@@ -1,3 +1,12 @@
+upstream lists_app {
+ zone lists_app 1m;
+ server 127.0.0.1:8283;
+ keepalive 16;
+}
+
+# limit req
+limit_req_zone $binary_remote_addr zone=lists_app_limit:10m rate=30r/s;
+
 server {
     listen 443 quic;
     listen 443 ssl;
@@ -24,8 +33,10 @@ server {
         return 301 https://listapp.linuxiarz.pl$request_uri;
     }
 
+    limit_req zone=lists_app_limit burst=40 nodelay;
+
     location / {
-        proxy_pass http://127.0.0.1:6081/;
+        proxy_pass http://varnish;
 
         proxy_http_version                 1.1;
         proxy_cache_bypass                 $http_upgrade;
@@ -51,7 +62,7 @@ server {
     server_name             listapp.linuxiarz.pl;
 
     location / {
-        proxy_pass http://127.0.0.1:8283;
+        proxy_pass http://lists_app;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/sites-available/pa.linuxiarz.pl.conf b/sites-available/pa.linuxiarz.pl.conf
index d62b317..51cad91 100644
--- a/sites-available/pa.linuxiarz.pl.conf
+++ b/sites-available/pa.linuxiarz.pl.conf
@@ -1,3 +1,5 @@
+limit_req_zone $binary_remote_addr zone=pa_limit:10m rate=10r/s;
+
 server {
     listen 443 quic;
     listen 443 ssl;
@@ -18,6 +20,7 @@ server {
     include                 config/security.conf;
 
     status_zone pa.linuxiarz.pl;
+    limit_req zone=pa_limit burst=20 nodelay;
 
     # restrict methods
     if ($request_method !~ ^(GET|POST)$) {
diff --git a/sites-available/paste.linuxiarz.pl_varnish.conf b/sites-available/paste.linuxiarz.pl_varnish.conf
index aa9f53a..e98fe14 100644
--- a/sites-available/paste.linuxiarz.pl_varnish.conf
+++ b/sites-available/paste.linuxiarz.pl_varnish.conf
@@ -1,4 +1,7 @@
+limit_req_zone $binary_remote_addr zone=paste_limit:10m rate=10r/s;
+
 server {
+ 
     listen                  8080;
     server_name             paste.linuxiarz.pl;
     set                     $base /var/www/paste.linuxiarz.pl;
@@ -52,6 +55,7 @@ server {
     error_log  /var/log/angie/paste.linuxiarz.pl.error.log warn;
 
     status_zone paste.linuxiarz.pl_frontend;
+    limit_req zone=paste_limit burst=20 nodelay;
 
     location / {
         proxy_pass http://varnish/;
diff --git a/sites-available/rspamd.linuxiarz.pl.conf b/sites-available/rspamd.linuxiarz.pl.conf
index 6ac7ce4..65ecf34 100644
--- a/sites-available/rspamd.linuxiarz.pl.conf
+++ b/sites-available/rspamd.linuxiarz.pl.conf
@@ -1,3 +1,5 @@
+limit_req_zone $binary_remote_addr zone=rspamd_limit:10m rate=10r/s;
+
 server {
     listen 443 quic;
     listen 443 ssl;
@@ -15,7 +17,8 @@ server {
     include                 config/security.conf;
 
     status_zone rspamd.linuxiarz.pl;
-
+    limit_req zone=rspamd_limit burst=20 nodelay;
+    
     # restrict methods
     if ($request_method !~ ^(GET|POST)$) {
         return '405';
diff --git a/sites-available/sk.linuxiarz.pl.conf b/sites-available/sk.linuxiarz.pl.conf
index 048ad06..c75b3f4 100644
--- a/sites-available/sk.linuxiarz.pl.conf
+++ b/sites-available/sk.linuxiarz.pl.conf
@@ -1,3 +1,5 @@
+limit_req_zone $binary_remote_addr zone=sk_limit:10m rate=10r/s;
+
 server {
     listen 443 quic;
     listen 443 ssl;
@@ -17,6 +19,7 @@ server {
     include                 config/security.conf;
 
     status_zone sk.linuxiarz.pl;
+    limit_req zone=sk_limit burst=20 nodelay;
 
     # restrict methods
     if ($request_method !~ ^(GET|POST)$) {
diff --git a/sites-available/ts3stats.linuxiarz.pl.conf b/sites-available/ts3stats.linuxiarz.pl.conf
index 8ea82d6..b95111c 100644
--- a/sites-available/ts3stats.linuxiarz.pl.conf
+++ b/sites-available/ts3stats.linuxiarz.pl.conf
@@ -1,3 +1,5 @@
+limit_req_zone $binary_remote_addr zone=ts3stats_limit:10m rate=10r/s;
+
 server {
     listen 443 quic;
     listen 443 ssl;
@@ -17,6 +19,7 @@ server {
     include                 config/security.conf;
 
     status_zone ts3stats.linuxiarz.pl;
+    limit_req zone=ts3stats_limit burst=20 nodelay;
 
     # restrict methods
     if ($request_method !~ ^(GET)$) {
diff --git a/sites-available/webmail.linuxiarz.pl.conf b/sites-available/webmail.linuxiarz.pl.conf
index 9d7f9c7..81cf509 100644
--- a/sites-available/webmail.linuxiarz.pl.conf
+++ b/sites-available/webmail.linuxiarz.pl.conf
@@ -1,3 +1,7 @@
+
+# limit req
+limit_req_zone $binary_remote_addr zone=webmail_limit:10m rate=10r/s;
+
 server {
     listen 443 quic;
     listen 443 ssl;
@@ -24,6 +28,7 @@ server {
     error_log  /var/log/angie/webmail.linuxiarz.pl.error.log warn;
 
     status_zone webmail.linuxiarz.pl;
+    limit_req zone=webmail_limit burst=20 nodelay;
 
     # index.php
     index      index.php;