matrix.DOMAIN.tld {

  # creates letsencrypt certificate
  # tls your@email.com

  @identity {
        path /_matrix/identity/*
  }

  @noidentity {
        not path /_matrix/identity/*
  }

  @search {
        path /_matrix/client/r0/user_directory/search/*
  }

  @nosearch {
        not path /_matrix/client/r0/user_directory/search/*
  }

  @static {
        path /matrix/static-files/*
  }

  @nostatic {
        not path /matrix/static-files/*
  }

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"
                                                                                                                                                                                                                      167,9         79%
  }

  # Cache
  header @static {
        # Cache
    Cache-Control "public, max-age=31536000"
    defer
  }

  # identity
  handle @identity {
        reverse_proxy localhost:8090  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  # search
  handle @search {
        reverse_proxy localhost:8090   {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  handle {
        encode zstd gzip

        reverse_proxy localhost:8008  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }
}

matrix.DOMAIN.tld:8448 {
    handle {
        encode zstd gzip

        reverse_proxy 127.0.0.1:8048 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
    }
}

element.DOMAIN.tld {

      # creates letsencrypt certificate
      # tls your@email.com
 	
      header {
         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
        	X-XSS-Protection "1; mode=block"
        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        	X-Content-Type-Options "nosniff"
        	# Disallow the site to be rendered within a frame (clickjacking protection)
        	X-Frame-Options "DENY"
        	# X-Robots-Tag
        	X-Robots-Tag "noindex, noarchive, nofollow"
  	}

        handle {
              encode zstd gzip

              reverse_proxy localhost:8765 {
                     header_up X-Forwarded-Port {http.request.port}
                     header_up X-Forwarded-Proto {http.request.scheme}
                     header_up X-Forwarded-TlsProto {tls_protocol}
                     header_up X-Forwarded-TlsCipher {tls_cipher}
                     header_up X-Forwarded-HttpsProto {proto}
        }
}

#dimension.DOMAIN.tld {
#      
#      # creates letsencrypt certificate
#      # tls your@email.com
#      
#      header {
#          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
#          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#          # Enable cross-site filter (XSS) and tell browser to block detected attacks
#          X-XSS-Protection "1; mode=block"
#          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
#          X-Content-Type-Options "nosniff"
#          # Disallow the site to be rendered within a frame (clickjacking protection)
#          X-Frame-Options "DENY"
#          # X-Robots-Tag
#          X-Robots-Tag "noindex, noarchive, nofollow"
#    }
#
#      handle {
#          encode zstd gzip
#
#          reverse_proxy localhost:8184  {
#                  header_up X-Forwarded-Port {http.request.port}
#                  header_up X-Forwarded-Proto {http.request.scheme}
#                  header_up X-Forwarded-TlsProto {tls_protocol}
#                  header_up X-Forwarded-TlsCipher {tls_cipher}
#                  header_up X-Forwarded-HttpsProto {proto}
#          }
#    }
#}


#jitsi.DOMAIN.tld {
#  
#  creates letsencrypt certificate
#  tls your@email.com
#
#  header {
#        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
#        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#
#        # Enable cross-site filter (XSS) and tell browser to block detected attacks
#        X-XSS-Protection "1; mode=block"
#
#        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
#        X-Content-Type-Options "nosniff"
#
#        # Disallow the site to be rendered within a frame (clickjacking protection)
#        X-Frame-Options "SAMEORIGIN"
#
#        # Disable some features
#        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
#
#        # Referer
#        Referrer-Policy "no-referrer"
#
#        # X-Robots-Tag
#        X-Robots-Tag "none"
#
#        # Remove Server header
#        -Server
#  }
#
#  handle {
#        encode zstd gzip
#
#        reverse_proxy 127.0.0.1:12080 {
#               header_up X-Forwarded-Port {http.request.port}
#               header_up X-Forwarded-Proto {http.request.scheme}
#               header_up X-Forwarded-TlsProto {tls_protocol}
#               header_up X-Forwarded-TlsCipher {tls_cipher}
#               header_up X-Forwarded-HttpsProto {proto}
#        }
#  }
#}