# Caddyfile für Stargirlnails Kiel
# Automatisches SSL mit Let's Encrypt

stargirlnails.de {
    # Reverse Proxy zur Anwendung
    reverse_proxy stargirlnails:3000 {
        # Health Check
        health_uri /health
        health_interval 30s
        health_timeout 5s
        
        # Timeouts für lange laufende Verbindungen (Live-Queries)
        transport http {
            read_timeout 0
            write_timeout 0
            dial_timeout 30s
        }
        
        # Buffer-Flush für Server-Sent Events (SSE) aktivieren
        flush_interval -1
    }

    # Sicherheits-Header
    header {
        # Sicherheits-Header
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        Referrer-Policy "strict-origin-when-cross-origin"
        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' data:; connect-src 'self' data: blob:; frame-src 'self' https://www.openstreetmap.org;"
        
        # HSTS (wird automatisch von Caddy gesetzt)
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
    }

    # Gzip-Kompression
    encode gzip

    # Logging
    log {
        output file /var/log/caddy/access.log
        format json
        level INFO
    }

    # Favicon-Konfiguration (innerhalb der Hauptdomain)
    handle /favicon.ico {
        redir /favicon.png 301
    }

    handle /favicon.png {
        root * /app/public
        try_files {path}
    }
}

# HTTP zu HTTPS Redirect (automatisch von Caddy)
http://stargirlnails.de {
    redir https://stargirlnails.de{uri} permanent
}