upstream rspamd {
    zone rspamd 1m;
    server 127.0.0.1:11334;
    keepalive 16;
}

limit_req_zone $binary_remote_addr zone=rspamd_limit:10m rate=10r/s;

server {
    listen 443 quic;
    listen 443 ssl;
    http2 on;
    http3 on;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_early_data on;
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';

    server_name rspamd.linuxiarz.pl;

    include config/wildcard.conf;

    status_zone rspamd.linuxiarz.pl;
    limit_req zone=rspamd_limit burst=20 nodelay;
    
    # Restrict methods
    if ($request_method !~ ^(GET|POST)$) {
        return 405;
    }

    # Logging
    access_log /var/log/angie/rspamd.linuxiarz.pl.access.log;
    error_log /var/log/angie/rspamd.linuxiarz.pl.error.log warn;

    location / {
        proxy_pass http://rspamd/;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_buffering off;
        proxy_request_buffering off;
    }
}

# HTTP redirect
server {
    listen 80;
    server_name rspamd.linuxiarz.pl;

    if ($request_method !~ ^(GET)$) {
        return 405;
    }

    location / {
        return 301 https://rspamd.linuxiarz.pl$request_uri;
    }
}