# TFM aInventory - Caddy Patched IP Configuration
# Version 1.9.13 - Bare Metal Proxy (No on_demand)

{
    admin off
    auto_https disable_redirects
    local_certs
}

# Frontend SSL Proxy (8919 -> 443)
:443 {
    tls internal
    reverse_proxy frontend:3000
    
    # Security Headers for PWA
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        Referrer-Policy "strict-origin-when-cross-origin"
    }
}

# Backend SSL Proxy (8918 -> 444)
:444 {
    tls internal
    reverse_proxy backend:8000
}
