# HTTP to HTTPS redirect
:80 {
    redir https://{host}{uri} permanent
}

# HTTPS Frontend
m040tbaraspi001.de040.corpintra.net:443 {
    # TLS configuration with custom certificates
    tls /etc/ssl/certs/myp/frontend.crt /etc/ssl/certs/myp/frontend.key
    
    # Security headers
    header {
        # Enable HSTS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # XSS Protection
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        X-XSS-Protection "1; mode=block"
        # CSP
        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://raspberrypi;"
        # Remove server header
        -Server
    }
    
    # Health check endpoint
    handle /health {
        respond "OK" 200
    }
    
    # API proxy to backend
    handle /api/* {
        reverse_proxy https://raspberrypi {
            transport http {
                tls_insecure_skip_verify
            }
            header_up Host {upstream_hostport}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
        }
    }
    
    # Frontend application
    reverse_proxy frontend-app:3000 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
    
    # Logging
    log {
        output file /var/log/caddy/access.log
        format json
    }
    
    # Enable compression
    encode gzip
}

# Fallback for direct IP access
192.168.0.109:443 {
    tls /etc/ssl/certs/myp/frontend.crt /etc/ssl/certs/myp/frontend.key
    redir https://m040tbaraspi001.de040.corpintra.net{uri} permanent
}