limit_req_zone $binary_remote_addr zone=fiddy_auth:10m rate=10r/m;
limit_req_zone $binary_remote_addr zone=fiddy_write:10m rate=60r/m;

upstream fiddy_web {
    server 127.0.0.1:3000;
    keepalive 32;
}

server {
    listen 80;
    listen [::]:80;
    server_name fiddy.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name fiddy.example.com;

    ssl_certificate /etc/letsencrypt/live/fiddy.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fiddy.example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    client_max_body_size 10m;
    client_body_timeout 15s;
    client_header_timeout 15s;
    keepalive_timeout 30s;
    send_timeout 30s;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header X-Request-Id $request_id always;

    location /api/auth/login {
        limit_req zone=fiddy_auth burst=15 nodelay;
        include /etc/nginx/includes/fiddy-proxy.conf;
    }

    location /api/auth/register {
        limit_req zone=fiddy_auth burst=15 nodelay;
        include /etc/nginx/includes/fiddy-proxy.conf;
    }

    location ~ ^/api/(entries|buckets|groups|tags|recurring-entries) {
        if ($request_method ~* "(POST|PATCH|PUT|DELETE)") {
            limit_req zone=fiddy_write burst=40 nodelay;
        }
        include /etc/nginx/includes/fiddy-proxy.conf;
    }

    location / {
        include /etc/nginx/includes/fiddy-proxy.conf;
    }
}