{
    # Global options
    email admin@example.com
    # Admin API for configuration management (listen on all interfaces)
    admin 0.0.0.0:2019
}

# Shared reverse proxy configuration
(reverse_proxy_config) {
    reverse_proxy digiserver-app:5000 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-Proto {scheme}
        
        # Timeouts for large uploads
        transport http {
            read_timeout 300s
            write_timeout 300s
        }
    }
    
    # File upload size limit (2GB)
    request_body {
        max_size 2GB
    }
    
    # Security headers
    header {
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
    }
    
    # Logging
    log {
        output file /var/log/caddy/access.log
    }
}

# Localhost (development/local access - HTTP only for local dev)
http://localhost {
    import reverse_proxy_config
}

# Main HTTPS entry point with multiple hostnames and IP
https://digiserver, https://10.76.152.164, https://digiserver.sibiusb.harting.intra {
    import reverse_proxy_config
    tls internal
}

# HTTP redirects to HTTPS for each hostname
http://digiserver {
    redir https://{host}{uri}
}

http://10.76.152.164 {
    redir https://{host}{uri}
}

http://digiserver.sibiusb.harting.intra {
    redir https://{host}{uri}
}

# Catch-all for any other HTTP requests
http://* {
    import reverse_proxy_config
}

# Catch-all for any other HTTPS requests (fallback)
https://* {
    import reverse_proxy_config
    tls internal
}