# Restrict access to the website by IP or wrong domain name) and return 400
server {
    listen unix:/dev/shm/h2c.sock proxy_protocol default_server;
    # listen 5000;
    http2 on;
    set_real_ip_from unix:;
    real_ip_header proxy_protocol;
    server_name _;
    return 400 "not allowed";
}
server {
    # listen 5001;
    listen unix:/dev/shm/h1.sock proxy_protocol default_server;
    set_real_ip_from unix:;
    real_ip_header proxy_protocol;
    server_name _;
    return 400 "not allowed";
}

# HTTP1 UDS listener
server {
    listen unix:/dev/shm/h1.sock proxy_protocol;
    # listen 5001;
    server_name xx.l4.ca.bg.107421.xyz;

    set_real_ip_from unix:;
    real_ip_header proxy_protocol;

    location / {
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable HSTS
        root /var/www/html/; 
        index index.html index.htm;
    }
}

# HTTP2 UDS listener
server {
    listen unix:/dev/shm/h2c.sock proxy_protocol;

    http2 on;

    set_real_ip_from unix:;
    real_ip_header proxy_protocol;
    
    server_name xx.l4.ca.bg.107421.xyz;

    # grpc settings
    # grpc_read_timeout 1h;
    # grpc_send_timeout 1h;
    # grpc_set_header X-Real-IP $remote_addr;

    # Decoy website
    location / {
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable HSTS
        root /var/www/html;
        index index.html index.htm;
    }
}