# Caddyfile for HXBooks
# Replace 'localhost' with your domain for production with automatic HTTPS
localhost {
    # Serve static files directly (CSS, JS, images, etc.)
    handle /static/* {
        root * /var/www
        file_server
        
        # Cache static assets for 7 days (good balance of performance vs update flexibility)
        header {
            Cache-Control "public, max-age=604800"
            # ETag support is enabled by default in file_server
        }
    }

    # Serve book cover images directly  
    handle /media/covers/* {
        root * /var/www
        file_server
        
        # Cache cover images for 30 days (they may be updated occasionally)
        header {
            Cache-Control "public, max-age=2592000"
        }
    }

    # Proxy all other requests to the Flask app
    reverse_proxy app:5000 {
        # Health check endpoint
        health_uri /
        health_interval 30s
        health_timeout 10s
        
        # Forward real IP to app
        header_up X-Real-IP {remote}
    }

    # Optional: Enable compression for better performance
    encode gzip

    # Security headers
    header {
        # Remove server identification
        -Server
        
        # Security headers
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        X-XSS-Protection "1; mode=block"
        Referrer-Policy strict-origin-when-cross-origin
    }

    # Logging
    log {
        output file /var/log/caddy/access.log
        format json
    }
}

# Production example - uncomment and modify for your domain
# your-domain.com {
#     handle /static/* {
#         root * /var/www
#         file_server
#         
#         # Cache static assets for 7 days
#         header {
#             Cache-Control "public, max-age=604800"
#         }
#     }
#
#     handle /media/covers/* {
#         root * /var/www
#         file_server
#         
#         # Cache cover images for 30 days
#         header {
#             Cache-Control "public, max-age=2592000"
#         }
#     }
#
#     reverse_proxy app:5000 {
#         header_up X-Real-IP {remote}
#         header_up X-Forwarded-For {remote}
#         header_up X-Forwarded-Proto {scheme}
#         header_up X-Forwarded-Host {host}
#     }
#
#     encode gzip
#
#     header {
#         -Server
#         X-Content-Type-Options nosniff
#         X-Frame-Options DENY
#         X-XSS-Protection "1; mode=block"
#         Referrer-Policy strict-origin-when-cross-origin
#         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#     }
# }