# TFM aInventory - Caddy Patched IP Configuration
# Version 1.9.16 - The Open Gateway (Valid Permission check)

{
    admin off
    debug
    
    # Global TLS options for self-signed certificates
    local_certs
    skip_install_trust
    
    # Configure on-demand TLS for private network IPs
    on_demand_tls {
        # Pointing to the backend root which returns 200 OK
        # This allows Caddy to generate internal certs for any IP/domain.
        ask http://backend:8000/
    }
}

# Dynamic SSL Proxy (Matches ANY IP or hostname)
https:// {
    tls internal {
        on_demand
    }
    
    reverse_proxy frontend:3000
    
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        Referrer-Policy "strict-origin-when-cross-origin"
    }
}

# Specific port listener for backend (8918 -> 444)
https://:444 {
    tls internal {
        on_demand
    }
    reverse_proxy backend:8000
}
