# example for a production vhost for szurubooru.
# ideally, use ssl termination + cdn with a provider such as cloudflare.
# modify as needed!

# rate limiting zone
# poor man's ddos protection, essentially
limit_req_zone $binary_remote_addr zone=throttle:10m rate=25r/s;

# www -> non-www
server {
  listen 80;
  listen [::]:80;
  server_tokens off;
  server_name www.example.com
  return 301 http://example.com$request_uri;
}

server {
  server_name example.com;
  client_max_body_size 100M;
  client_body_timeout 30s;
  server_tokens off;
  location / {
    limit_req zone=throttle burst=5 delay=3;
    proxy_http_version 1.1;
    proxy_pass http://127.0.0.1:8080;
    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Script-Name /szuru;
    error_page 500 501 502 504 505 506 507 508 509 510 511 @err;
    error_page 503 @throttle;
  }

  location @err {
    return 500 "server error. please try again later.";
    default_type text/plain;
  }
  location @throttle {
    return 503 "we've detected abuse on your ip. please wait and try again later.";
    default_type text/plain;
  }
  listen 80;
  listen [::]:80;
}