# Caddyfile for Media Gallery
# Automatic HTTPS with self-signed certificates for localhost

localhost:443 {
    # Frontend
    reverse_proxy localhost:3001 {
        # Enable websocket for Vite HMR
        header_up Upgrade {http.request.header.Upgrade}
        header_up Connection {http.request.header.Connection}
    }

    # API endpoints
    handle /api/* {
        reverse_proxy localhost:8000 {
            # Disable buffering for video streaming
            flush_interval -1
        }
    }

    # Enable logging
    log {
        output file ./caddy-access.log {
            roll_size 10mb
            roll_keep 5
        }
        format json
    }

    # Enable compression
    encode gzip zstd

    # Security headers
    header {
        # Enable HSTS
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        # Prevent clickjacking
        X-Frame-Options "SAMEORIGIN"
        # Prevent MIME sniffing
        X-Content-Type-Options "nosniff"
        # XSS Protection
        X-XSS-Protection "1; mode=block"
    }
}

# For production with a real domain, use:
# yourdomain.com {
#     reverse_proxy localhost:3001
#     handle /api/* {
#         reverse_proxy localhost:8000 {
#             flush_interval -1
#         }
#     }
# }
