worker_processes auto;
worker_rlimit_nofile 10000;

events {
    worker_connections 2048;
    multi_accept on;
}

http {
    access_log log/access.log combined buffer=128k flush=5m;
    error_log log/error.log error;

    client_header_timeout 10s;
    client_body_timeout 10s;
    send_timeout 10s;
    reset_timedout_connection on;

    gzip on;
    gzip_comp_level 4;
    gzip_min_length 1000;
    gzip_proxied any;
    gzip_types *;

    server_tokens off;
    charset utf-8;

    map $server_protocol $h1_addr {
        default "";
        "HTTP/1.0" $binary_remote_addr;
        "HTTP/1.1" $binary_remote_addr;
    }

    limit_conn_status 444;
    limit_conn_zone $binary_remote_addr zone=addr_conn:10m;
    limit_conn_zone $h1_addr zone=h1_conn:10m;
    limit_req_status 444;
    limit_req_zone $binary_remote_addr zone=addr_req:10m rate=100r/m;
    limit_req_zone $h1_addr zone=h1_req:10m rate=10r/m;

    limit_conn addr_conn 10;
    limit_req zone=addr_req burst=20 nodelay;
    limit_conn h1_conn 10;
    limit_req zone=h1_req burst=10 nodelay;

    error_page 400 403 404 500 502 503 504 =444 /444.html;

    types {
        text/html html;
        text/css css;
        application/javascript js;
        application/json json;
        application/pdf pdf;
        image/webp webp;
    }

    upstream ismism {
        server 127.0.0.1:728 fail_timeout=1h;
        server 127.0.0.1:729 backup;
        keepalive 2;
    }

    proxy_cache_path cache levels=1:2 keys_zone=cache:10m max_size=10g inactive=1d use_temp_path=off;

    server {
        server_name _;
        listen 80 default_server;
        listen [::]:80 default_server;
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        ssl_protocols TLSv1.3;
        ssl_certificate ssl/ismist.cn.crt;
        ssl_certificate_key ssl/ismist.cn.key;
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;

        location = /444.html {
            return 444;
        }

        return 444;
    }

    server {
        server_name ismist.cn;
        listen 80;
        listen [::]:80;

        location = /444.html {
            return 444;
        }

        location / {
            return 444;
        }

        location = / {
            limit_except GET {
                deny all;
            }
            return 301 https://$host;
        }
    }
    server {
        server_name ismist.cn localhost;
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_protocols TLSv1.3;
        ssl_certificate ssl/ismist.cn.crt;
        ssl_certificate_key ssl/ismist.cn.key;
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;

        root ui;

        location = /444.html {
            return 444;
        }

        location / {
            return 444;
        }

        location = / {
            limit_except GET {
                deny all;
            }
            try_files /index.html =444;
        }
        location /wsl {
            limit_except GET {
                deny all;
            }
        }

        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        proxy_cache cache;
        proxy_cache_methods GET;
        proxy_cache_valid any 1s;
        proxy_cache_revalidate on;
        proxy_cache_background_update on;
        proxy_cache_lock on;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        location /q/ {
            limit_except GET {
                deny all;
            }
            proxy_pass http://ismism;
        }

        location /p/ {
            limit_except POST {
                deny all;
            }
            proxy_pass http://ismism;
        }
    }
}