From 585fbd06232843e68893ab331b521a2af1c93b87 Mon Sep 17 00:00:00 2001
From: Carsten <carsten@ravensburg.it>
Date: Wed, 22 Apr 2026 08:41:18 +0200
Subject: [PATCH] docs(server): Caddyfile template with TLS + WSS reverse-proxy

---
 server/docs/Caddyfile.example | 37 +++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 server/docs/Caddyfile.example

diff --git a/server/docs/Caddyfile.example b/server/docs/Caddyfile.example
new file mode 100644
index 0000000..9603f16
--- /dev/null
+++ b/server/docs/Caddyfile.example
@@ -0,0 +1,37 @@
+# /etc/caddy/Caddyfile — Proxmox Monitor reverse-proxy
+#
+# Replace monitor.example.com with your actual hostname.
+# Caddy handles Let's Encrypt automatically when the domain's A record
+# points at this host.
+
+monitor.example.com {
+    # Security headers
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        -Server
+    }
+
+    # The Phoenix endpoint handles both HTTP requests and WebSocket upgrades
+    # on the same port; Caddy's reverse_proxy transparently upgrades /socket.
+    reverse_proxy 127.0.0.1:4000 {
+        header_up X-Forwarded-Proto {scheme}
+        header_up X-Forwarded-For {remote_host}
+        # Keep WebSocket connections open long enough for the Phoenix heartbeat
+        # cycle (30s by default).
+        transport http {
+            read_timeout 90s
+            dial_timeout 10s
+        }
+    }
+
+    # Basic access log
+    log {
+        output file /var/log/caddy/monitor.log {
+            roll_size 10mb
+            roll_keep 5
+        }
+    }
+}