update stalwart.conf

diff --git a/etc/nginx/conf.d/stalwart.conf b/etc/nginx/conf.d/stalwart.conf
index 8bb42c12872ba83168d04d2dd548a635197f152e..dde602885901bd009d782915a4e5cbef61d6fdaf 100644 (file)
--- a/etc/nginx/conf.d/stalwart.conf
+++ b/etc/nginx/conf.d/stalwart.conf
@@ -1,8 +1,44 @@
+# HTTP -> HTTPS Redirect
 server {
-    server_name mail.nutra.tk;
+    listen 80;
+    listen [::]:80;
+    server_name mail.yourdomain.com;
+    return 301 https://$host$request_uri;
+}
+
+# Main Server (HTTPS + HTTP/3)
+server {
+    server_name mail.yourdomain.com;
+
+    # HTTP/3 (QUIC) - UDP
+    # Note: No 'reuseport' here because dev.nutra.tk already has it
+    listen 443 quic;
+    listen [::]:443 quic;
+
+    # HTTP/2 & 1.1 (Fallback) - TCP
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    # Enable protocols
+    http2 on;
+    http3 on;
+
+    # Advertise HTTP/3 availability
+    add_header Alt-Svc 'h3=":443"; ma=86400' always;
 
+    # HSTS
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    # Large attachments for Email
     client_max_body_size 50M;
 
+    # SSL Configuration
+    # (Ensure you point these to the actual certs generated for your mail domain)
+    ssl_certificate /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
     location / {
         proxy_pass http://127.0.0.1:8080;
 
@@ -12,29 +48,13 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
 
-        # WebSocket Support (REQUIRED for JMAP/Stalwart admin UI)
+        # WebSocket Support (REQUIRED for Stalwart JMAP/Admin)
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        # Long timeouts to keep the live-view logs/WebSockets active
+        # Timeouts for long-lived connections
         proxy_read_timeout 3600s;
         proxy_send_timeout 3600s;
     }
-
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/mail.nutra.tk/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/mail.nutra.tk/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-}
-server {
-    if ($host = mail.nutra.tk) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-    server_name mail.nutra.tk;
-    listen 80;
-    return 404; # managed by Certbot
 }