server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name matrix.arcticfoxes.net;

    include /etc/nginx/ssl.conf;
    include /etc/nginx/proxy.conf;
    include /etc/nginx/headers.conf;

    client_max_body_size 0;

    # CORS
    proxy_hide_header Access-Control-Allow-Origin;
    add_header        Access-Control-Allow-Origin "*" always;
    proxy_hide_header Access-Control-Allow-Methods;
    add_header        Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
    proxy_hide_header Access-Control-Allow-Headers;
    add_header        Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization" always;
    if ($request_method = OPTIONS) {
        return 204;
    }
    access_log off;

    # https://element-hq.github.io/synapse/v1.123/usage/configuration/config_documentation.html#listeners
    location ~ ^/_matrix/(?:client|media|static)/ {
        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
        access_log /var/log/nginx/access_client.log main;

        limit_req zone=accesstoken burst=50;
        limit_req zone=accesstoken_write burst=5 nodelay;
        limit_req zone=ip burst=250;
        limit_req zone=ip_write burst=25 nodelay;
        limit_req_status 429;
        error_page 429 /ratelimited.json;
        limit_req_log_level info;
    }

    location ^~ /_synapse/admin {
        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
        access_log /var/log/nginx/access_client.log main;
    }

    location = /health {
        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
        access_log /var/log/nginx/access_client.log main;
    }

    location / {
        return 404;
        access_log /var/log/nginx/access_client_invalid.log main;
    }

    location = /ratelimited.json {
        internal;
        root /usr/share/nginx/html;
        access_log /var/log/nginx/access_client_ratelimited.log main;
    }
}

map $request_method $limit_key_accesstoken_write {
    GET "";
    default $http_authorization;
}
limit_req_zone $http_authorization zone=accesstoken:100m rate=25r/s;
limit_req_zone $limit_key_accesstoken_write zone=accesstoken_write:100m rate=3r/s;

map $request_method $limit_key_ip_write {
    GET "";
    default $binary_remote_addr;
}
limit_req_zone $binary_remote_addr zone=ip:10m rate=125r/s;
limit_req_zone $limit_key_ip_write zone=ip_write:10m rate=15r/s;