# SPDX-FileCopyrightText: 2024 XWiki CryptPad Team <contact@cryptpad.org> and contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later

#   This file is included strictly as an example of how Caddy can be configured
#   to work with CryptPad. This example WILL NOT WORK AS IS. For best results,
#   compare the sections of this configuration file against a working CryptPad
#   installation (http server by the Nodejs process). If you are using CryptPad
#   in production and require professional support please contact sales@cryptpad.org

(trustedProxies) {
	# Force Caddy to accept `X-Forwarded-For` and other origin headers.
	# Modify the line below if you want to restrict the scope of direct downstream sending these headers.
	trusted_proxies 0.0.0.0/0 ::/0
}

# Caddy does not have variables for server names, so domains need to be hardcoded.
# You can bulk replace "your-main-domain.com" and "your-sandbox-domain.com" safely.
your-main-domain.com:443,
your-sandbox-domain.com:443 {
	# Define your certificates below.
	# No need to adjust TLS configurations, as the defaults in Caddy are already secure.
	tls /path/to/fullchain/publicKey.pem /path/to/certificate/privateKey.pem
	
	# Enable HSTS.
	# Do not enable this line when configuring over mixnet, e.g. Tor.
	header Strict-Transport-Security "max-age=63072000; includeSubDomains"
	
	# Specify the relative path to root of your custom error page.
	# This error page won't only be served for 404 errors.
	handle_errors {
		rewrite * /error.htm
		header Cache-Control "no-cache, no-store"
		file_server
		templates
	}
	
	# The Node.js process can handle all traffic, whether accessed over websocket or as static assets.
	reverse_proxy /cryptpad_websocket/* {
		to 127.0.0.1:3003
		header_up Host "{host}"
		header_up X-Real-IP "{remote_host}"
		
		# Caddy supports WebSockets directly. No additional headers are needed.

		import trustedProxies
	}
	reverse_proxy * {
		to 127.0.0.1:3000
		header_up Host "{host}"
		header_up X-Real-IP "{remote_host}"
		
		# These settings prevent both Caddy and the API server from setting duplicate headers.
		header_down Cross-Origin-Resource-Policy cross-origin
		header_down Cross-Origin-Embedder-Policy require-corp

		import trustedProxies
	}
	
	# Enable file serving
	file_server {
		index index.html index.htm default.html default.htm
	}
}