# /etc/caddy/Caddyfile — Proxmox Monitor reverse-proxy
#
# Replace monitor.example.com with your actual hostname.
# Caddy handles Let's Encrypt automatically when the domain's A record
# points at this host.

monitor.example.com {
    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Referrer-Policy "strict-origin-when-cross-origin"
        -Server
    }

    # The Phoenix endpoint handles both HTTP requests and WebSocket upgrades
    # on the same port; Caddy's reverse_proxy transparently upgrades /socket.
    reverse_proxy 127.0.0.1:4000 {
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-For {remote_host}
        # Keep WebSocket connections open long enough for the Phoenix heartbeat
        # cycle (30s by default).
        transport http {
            read_timeout 90s
            dial_timeout 10s
        }
    }

    # Basic access log
    log {
        output file /var/log/caddy/monitor.log {
            roll_size 10mb
            roll_keep 5
        }
    }
}