nginx.conf/conf.d/ari-lt.conf

server {
    server_name ari.lt;

    http2 on;
    listen 80;
    listen [::]:80;

    limit_req zone=all burst=5 delay=5;
    limit_req zone=allm burst=5 delay=5;

    include /etc/nginx/snippets.d/paranoia-headers.conf;
    add_header Onion-Location "http://arija664fy4c6zhfbsytbqcbz5gcc3qjuwaz4ue6cium5c5fo2fgakyd.onion$request_uri" always;

    return 301 https://$server_name$request_uri;
}

server {
    server_name ari.lt;

    http2 on;
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /etc/letsencrypt/live/ari.lt/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ari.lt/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/ari.lt/chain.pem;
    include /etc/nginx/snippets.d/ssl.conf;

    limit_req zone=all burst=40 delay=5;
    limit_req zone=allm burst=40 delay=5;

    add_header Onion-Location "http://arija664fy4c6zhfbsytbqcbz5gcc3qjuwaz4ue6cium5c5fo2fgakyd.onion$request_uri" always;

    location = /.well-known/openpgpkey/policy {
        include /etc/nginx/snippets.d/global-resource.conf;
        return 200 "";
    }

    location = /.well-known/openpgpkey/hu/qfckua8a7bfyw78pn18y63jp9xkjnqoa {
        include /etc/nginx/snippets.d/global-resource.conf;
        alias /var/www/ari-web/ari.lt/.well-known/openpgpkey/hu/qfckua8a7bfyw78pn18y63jp9xkjnqoa;
    }

    location = /.well-known/host-meta {
        include /etc/nginx/snippets.d/global-resource.conf;
        alias /var/www/ari-web/xmpp/host-meta;
    }

    location ~ ^/.well-known/(host-meta|xmpp-provider-v2).json$ {
        include /etc/nginx/snippets.d/global-resource.conf;
        add_header Content-Type "application/json" always;
        alias /var/www/ari-web/xmpp/$1.json;
    }

    location /http-bind {
        include /etc/nginx/snippets.d/proxy-rt.conf;
        proxy_pass http://127.0.0.1:5280/http-bind;
    }

    location /xmpp-websocket {
        include /etc/nginx/snippets.d/proxy-rt.conf;
        proxy_pass http://127.0.0.1:5280/xmpp-websocket;
    }

    location /.well-known/atproto-did {
        include /etc/nginx/snippets.d/global-resource.conf;
        default_type text/plain;
        return 200 "did:plc:wpr63uqnrodpq4lolakjlrdv";
    }

    location = /yandex_ec8b6057b83317cd.html {
        default_type text/html;
        alias /var/www/ari-web/yandex_ec8b6057b83317cd.html;
    }

    location / {
        include /etc/nginx/snippets.d/gzip.conf;
        include /etc/nginx/snippets.d/proxy.conf;
        proxy_set_header X-From-Tor "0";
        proxy_pass http://127.0.0.1:17312;
    }
}

server {
    server_name arija664fy4c6zhfbsytbqcbz5gcc3qjuwaz4ue6cium5c5fo2fgakyd.onion;

    http2 on;
    listen 80;

    limit_req zone=all burst=40 delay=5;
    limit_req zone=allm burst=40 delay=5;

    location = /.well-known/openpgpkey/policy {
        add_header Access-Control-Allow-Origin "*" always;
        add_header Access-Control-Allow-Methods "GET" always;
        return 200 "";
    }

    location = /.well-known/openpgpkey/hu/qfckua8a7bfyw78pn18y63jp9xkjnqoa {
        add_header Access-Control-Allow-Origin "*" always;
        add_header Access-Control-Allow-Methods "GET" always;
        alias /var/www/ari-web/ari.lt/.well-known/openpgpkey/hu/qfckua8a7bfyw78pn18y63jp9xkjnqoa;
    }

    location / {
        include /etc/nginx/snippets.d/gzip.conf;
        include /etc/nginx/snippets.d/proxy.conf;
        proxy_set_header X-From-Tor "1";
        proxy_pass http://127.0.0.1:17312;
    }
}