# 🔄 MYP Reverse Proxy Konfiguration
# Caddy Server für Load Balancing und SSL Termination

{
    # Globale Optionen
    debug
    auto_https off
    email admin@mercedes-benz.com
    
    # Lokale Zertifikate für Entwicklung
    local_certs
}

# Hauptdomain-Konfiguration
{$CADDY_HOST:localhost}, {$CADDY_DOMAIN:myp.local} {
    # === API-Routen ===
    # Backend API Endpunkte
    @api {
        path /api/* 
        path /health
        path /auth/*
        path /swagger/*
        path /docs/*
    }
    
    handle @api {
        # API-Prefix entfernen für Backend-Weiterleitung
        uri strip_prefix /api
        
        # Backend-Server (Load Balancing für Hochverfügbarkeit)
        reverse_proxy {
            to backend:5000
            
            # Health Checks
            health_uri /health
            health_interval 30s
            health_timeout 10s
            
            # Load Balancing
            lb_policy round_robin
            
            # Fehlerbehandlung
            fail_duration 30s
            max_fails 3
            
            # Header-Weiterleitung
            header_up Host {upstream_hostport}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
            header_up X-Forwarded-Host {host}
        }
    }

    # === OAuth und Authentifizierung ===
    @oauth {
        path /auth/login/callback*
        path /auth/logout*
        path /auth/verify*
    }
    
    handle @oauth {
        # Keine Caches für Auth-Endpunkte
        header Cache-Control "no-cache, no-store, must-revalidate"
        header Pragma "no-cache"
        header Expires "0"
        
        reverse_proxy frontend:3000
    }

    # === Statische Assets ===
    @static {
        path *.js *.css *.png *.jpg *.jpeg *.gif *.svg *.ico *.woff *.woff2 *.ttf *.eot
        path /_next/static/*
        path /static/*
        path /assets/*
    }
    
    handle @static {
        # Aggressive Caching für statische Inhalte
        header Cache-Control "public, max-age=31536000, immutable"
        header Vary "Accept-Encoding"
        
        # Kompression
        encode gzip zstd
        
        reverse_proxy frontend:3000
    }

    # === Frontend-Anwendung ===
    handle {
        # Dynamische Inhalte
        header Cache-Control "no-cache, no-store, must-revalidate"
        header Pragma "no-cache"
        
        # Frontend-Server
        reverse_proxy {
            to frontend:3000
            
            # Health Checks
            health_uri /
            health_interval 30s
            health_timeout 10s
            
            # Header-Weiterleitung
            header_up Host {upstream_hostport}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
            header_up X-Forwarded-Host {host}
        }
    }

    # === Sicherheitsheader ===
    header {
        # HTTPS Durchsetzung
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        
        # Content Security Policy
        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' ws: wss:; frame-src 'none'; object-src 'none'; base-uri 'self'"
        
        # XSS-Schutz
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        X-XSS-Protection "1; mode=block"
        
        # Referrer Policy
        Referrer-Policy "strict-origin-when-cross-origin"
        
        # Feature Policy / Permissions Policy
        Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
        
        # Server-Information ausblenden
        -Server
        -X-Powered-By
    }

    # === Logging ===
    log {
        output file /var/log/caddy/myp-access.log {
            roll_size 100mb
            roll_keep 5
            roll_keep_for 720h
        }
        format json
        level INFO
    }

    # === Rate Limiting ===
    rate_limit {
        zone static_files {
            key {remote_host}
            events 1000
            window 1m
        }
        zone api_calls {
            key {remote_host}
            events 100
            window 1m
        }
    }

    # === Fehlerbehandlung ===
    handle_errors {
        @502 expression `{http.error.status_code} == 502`
        handle @502 {
            rewrite * /errors/502.html
            file_server {
                root /usr/share/caddy/errors
            }
        }

        @503 expression `{http.error.status_code} == 503`
        handle @503 {
            rewrite * /errors/503.html
            file_server {
                root /usr/share/caddy/errors
            }
        }
    }

    # === Development Features ===
    # WebSocket Support für Hot Reload
    @websocket {
        header Connection *Upgrade*
        header Upgrade websocket
    }
    
    handle @websocket {
        reverse_proxy frontend:3000
    }
}

# === Monitoring Endpunkte (nur Entwicklung) ===
monitoring.{$CADDY_DOMAIN:myp.local} {
    # Prometheus Metriken
    handle /metrics {
        reverse_proxy prometheus:9090
    }
    
    # Grafana Dashboards
    handle /grafana/* {
        uri strip_prefix /grafana
        reverse_proxy grafana:3000
    }
    
    # Caddy Admin API
    handle /admin/* {
        reverse_proxy localhost:2019
    }
    
    # Basis-Authentifizierung für Monitoring
    basicauth /* {
        admin $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNqBZnp6N5i8rGjW5h3qK4/tW
    }
}

# === Gesundheitsprüfungen ===
health.{$CADDY_DOMAIN:myp.local} {
    respond /health "OK" 200
    
    handle /backend/health {
        reverse_proxy backend:5000/health
    }
    
    handle /frontend/health {
        reverse_proxy frontend:3000
    }
}