upstream doh {
 zone doh 1m;
 server 127.0.0.1:8844;
 keepalive 16;
}

server {
    listen 443 quic;
    listen 443 ssl;
    http2 on;
    http3 on;
    ssl_protocols       TLSv1.3 TLSv1.2;
    ssl_early_data on;
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';


    server_name             doh.linuxiarz.pl;

    set                     $base /var/www/dnsdist;
    root                    $base;

    status_zone doh.linuxiarz.pl;

    include                 config/wildcard.conf;
    include                 config/security.conf;

    # restrict methods
    if ($request_method !~ ^(GET|POST|HEAD|PUT)$) {
        return '405';
    }

    error_page 400 @echo_400;

    location @echo400 {
        add_header Content-Type text/plain;
        return 200 "Bad request :)";
    }

    error_page 404 403 500 504 502 =200 /;

    # logging
    access_log /var/log/angie/doh.linuxiarz.pl.access.log;
    error_log  /var/log/angie/doh.linuxiarz.pl.error.log warn;

    # additional config
    include config/general.conf;

    location / {
        proxy_pass https://doh;
        include config/proxy.conf;
    }

}

# HTTP redirect
server {
    listen                  80;
    server_name             doh.linuxiarz.pl;
    add_header Alt-Svc 'h3=":443"; ma=86400';
    include config/letsencrypt.conf;

    # restrict methods
    if ($request_method !~ ^(GET)$) {
        return '405';
    }

    location / {
        return 301 https://doh.linuxiarz.pl$request_uri;
    }
}