# Caddyfile example for Emergency Access Server
# This configures Caddy to reverse proxy the emergency access server
# running on localhost:1127

# Example domain configuration
emergency.example.com {
    # Enable TLS with automatic HTTPS
    tls your-email@example.com

    # Reverse proxy to the emergency access server
    reverse_proxy localhost:1127

    # Security headers
    header {
        # Hide server information
        -Server

        # Security headers
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        X-XSS-Protection "1; mode=block"
        Referrer-Policy strict-origin-when-cross-origin

        # Remove potentially sensitive headers
        -X-Powered-By
    }

    # Logging for security monitoring
    log {
        output file /var/log/caddy/emergency-access.log {
            roll_size 10mb
            roll_keep 30
        }
        format json
        level INFO
    }

    # Rate limiting to prevent abuse
    rate_limit {
        zone emergency {
            key {remote_host}
            events 10
            window 1m
        }
    }
}

# Alternative: Using a specific path instead of subdomain
example.com {
    # Handle emergency access routes with specific path prefix
    handle /emergency/* {
        # Strip the /emergency prefix before forwarding
        uri strip_prefix /emergency

        # Forward to local server
        reverse_proxy localhost:1127

        # Additional security for emergency routes
        header {
            X-Content-Type-Options nosniff
            X-Frame-Options DENY
            Cache-Control "no-cache, no-store, must-revalidate"
            Pragma no-cache
            Expires 0
        }

        # More restrictive rate limiting for emergency routes
        rate_limit {
            zone emergency_strict {
                key {remote_host}
                events 5
                window 1m
            }
        }
    }

    # Handle other routes normally
    handle {
        # Your regular website content
        root * /var/www/html
        file_server
    }

    # Logging
    log {
        output file /var/log/caddy/main.log
        format json
    }
}

# IP-based access (for internal use)
:443 {
    # Only allow specific IP addresses
    @allowed_ips remote_ip 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

    handle @allowed_ips {
        reverse_proxy localhost:1127

        header {
            X-Internal-Access "true"
        }
    }

    handle {
        respond "Access Denied" 403
    }

    tls internal
}

# Development/testing configuration (HTTP only)
# Remove in production!
localhost:8080 {
    reverse_proxy localhost:1127

    # Development headers
    header {
        X-Dev-Mode "true"
    }

    log {
        output stdout
        format console
        level DEBUG
    }
}

# Global options
{
    # Email for Let's Encrypt
    email your-email@example.com

    # Enable experimental features if needed
    # experimental_http3

    # Security settings
    servers {
        protocols h1 h2 h2c
    }

    # Admin API (optional, restrict access in production)
    admin localhost:2019
}