Projektarbeit-MYP/frontend/docker/caddy/Caddyfile_copy

{
    debug
    auto_https disable_redirects
}

# Produktionsumgebung - Spezifischer Hostname für Mercedes-Benz Werk 040 Berlin
m040tbaraspi001.de040.corpintra.net {
    # TLS mit selbstsignierten Zertifikaten für die Produktionsumgebung
    tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key {
        protocols tls1.2 tls1.3
    }

    # API Anfragen zum Backend (Raspberry Pi) weiterleiten
    @api {
        path /api/* /health
    }
    handle @api {
        uri strip_prefix /api
        reverse_proxy raspberrypi:443 {
            transport http {
                tls
                tls_insecure_skip_verify
            }
            header_up Host {upstream_hostport}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
        }
    }

    # Alle anderen Anfragen zum Frontend weiterleiten
    handle {
        reverse_proxy myp-rp-dev:3000 {
            header_up Host {upstream_hostport}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
        }
    }

    # OAuth Callbacks
    @oauth path /auth/login/callback*
    handle @oauth {
        header Cache-Control "no-cache"
        reverse_proxy myp-rp-dev:3000
    }
    
    # Produktions-Header
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        Referrer-Policy "strict-origin-when-cross-origin"
    }
}

# Entwicklungsumgebung - Localhost und Raspberry Pi Backend (weiterhin für lokale Entwicklung verfügbar)
localhost, 127.0.0.1 {
    # API Anfragen zum Raspberry Pi Backend weiterleiten
    @api {
        path /api/* /health
    }
    handle @api {
        uri strip_prefix /api
        reverse_proxy raspberrypi:443 {
            transport http {
                tls
                tls_insecure_skip_verify
            }
            header_up Host {upstream_hostport}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
        }
    }

    # Alle anderen Anfragen zum Frontend weiterleiten
    handle {
        reverse_proxy myp-rp-dev:3000 {
            header_up Host {upstream_hostport}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
        }
    }

    # TLS für lokale Entwicklung
    tls /etc/caddy/ssl/frontend.crt /etc/caddy/ssl/frontend.key

    # OAuth Callbacks für Entwicklung
    @oauth path /auth/login/callback*
    handle @oauth {
        header Cache-Control "no-cache"
        reverse_proxy myp-rp-dev:3000
    }
    
    # Entwicklungsfreundliche Header
    header {
        # Weniger restriktive Sicherheitsheader für Entwicklung
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        
        # Keine Caches für Entwicklung
        Cache-Control "no-store, no-cache, must-revalidate"
        
        # CORS für Entwicklung
        Access-Control-Allow-Origin "*"
        Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
        Access-Control-Allow-Headers "Content-Type, Authorization"
    }
}