server_tokens off;

log_format main_json escape=json
  '{"time":"$time_iso8601","remote_addr":"$remote_addr","request":"$request","status":$status,"body_bytes_sent":$body_bytes_sent,"request_time":$request_time}';

access_log /var/log/nginx/access.log main_json;
error_log  /var/log/nginx/error.log warn;

limit_req_zone $binary_remote_addr zone=perip:10m rate=10r/s;

server {
    listen 443 ssl http2;
    ssl_protocols TLSv1.2 TLSv1.3;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;

    location / {
        limit_req zone=perip burst=20 nodelay;
        proxy_pass http://app_backend;
    }

    location /admin/ {
        auth_basic "restricted";
        auth_basic_user_file /etc/nginx/htpasswd.admin;
    }
}