# TFM aInventory - Caddy Patched IP Configuration
# Version 1.9.14 - Protocol Lock & Debug Mode

{
    admin off
    # Enable debug logging for SSL handshake diagnostics
    debug
    
    # Trust local CA for internal certificate issuance
    local_certs
    # Avoid errors if the user isn't root (though inside Docker we usually are)
    skip_install_trust
}

# Explicit Frontend SSL Proxy (8919 -> 443)
https://:443 {
    tls internal
    reverse_proxy frontend:3000
    
    # Security Headers for PWA
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        Referrer-Policy "strict-origin-when-cross-origin"
    }
}

# Explicit Backend SSL Proxy (8918 -> 444)
https://:444 {
    tls internal
    reverse_proxy backend:8000
}
