From 3fcf78e596ba65a590b5488bb6c4b94988ee6d6e Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 13:12:22 +0800
Subject: [PATCH 1/7] split api handler

---
 caddy/Caddyfile.prod | 45 +++++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index 792caf47..c327db23 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -26,28 +26,31 @@ oullin.io {
 		format json
 	}
 
+	# Route API traffic to the Go backend.
 	# Reverse-proxy all requests to the Go API, forwarding Host + auth headers
-	reverse_proxy {
-		# Tell Caddy which upstream to send to
-		to api:8080
-
-		# Preserve the original Host header
-		header_up Host {host}
-
-		# Forward the client-sent auth headers
-		header_up X-API-Username {http.request.header.X-API-Username}
-		header_up X-API-Key {http.request.header.X-API-Key}
-		header_up X-API-Signature {http.request.header.X-API-Signature}
-
-		# *** DEBUG: echo back to client what Caddy actually saw ***
-		# header_down X-Debug-Username {http.request.header.X-API-Username}
-		# header_down X-Debug-Key {http.request.header.X-API-Key}
-		# header_down X-Debug-Signature {http.request.header.X-API-Signature}
-
-		# Transport timeouts
-		transport http {
-			dial_timeout 10s
-			response_header_timeout 30s
+	handle_path /api/* {
+		reverse_proxy {
+			# Tell Caddy which upstream to send to
+			to api:8080
+
+			# Preserve the original Host header
+			header_up Host {host}
+
+			# Forward the client-sent auth headers
+			header_up X-API-Username {http.request.header.X-API-Username}
+			header_up X-API-Key {http.request.header.X-API-Key}
+			header_up X-API-Signature {http.request.header.X-API-Signature}
+
+			# *** DEBUG: echo back to client what Caddy actually saw ***
+			# header_down X-Debug-Username {http.request.header.X-API-Username}
+			# header_down X-Debug-Key {http.request.header.X-API-Key}
+			# header_down X-Debug-Signature {http.request.header.X-API-Signature}
+
+			# Transport timeouts
+			transport http {
+				dial_timeout 10s
+				response_header_timeout 30s
+			}
 		}
 	}
 }

From cc5391c1c9d069bd7d1690ab1033e239d8f7be50 Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 13:22:55 +0800
Subject: [PATCH 2/7] add vue handler

---
 caddy/Caddyfile.prod | 31 ++++++++++++++++---------------
 caddy/reademe.md     |  8 ++++++++
 2 files changed, 24 insertions(+), 15 deletions(-)
 create mode 100644 caddy/reademe.md

diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index c327db23..0d4cf47d 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -6,14 +6,14 @@ oullin.io {
 	encode gzip zstd
 
 	# Add security-related headers to protect against common attacks.
+	# 	- Strict-Transport-Security: Enable HSTS to ensure browsers only connect via HTTPS.
+	# 	- X-Frame-Options: Prevent clickjacking attacks.
+	# 	- X-Content-Type-Options: Prevent content type sniffing.
+	# 	- Referrer-Policy: Enhances user privacy.
 	header {
-		# Enable HSTS to ensure browsers only connect via HTTPS.
 		Strict-Transport-Security "max-age=31536000;"
-		# Prevent clickjacking attacks.
 		X-Frame-Options "SAMEORIGIN"
-		# Prevent content type sniffing.
 		X-Content-Type-Options "nosniff"
-		# Enhances user privacy.
 		Referrer-Policy "strict-origin-when-cross-origin"
 	}
 
@@ -27,30 +27,31 @@ oullin.io {
 	}
 
 	# Route API traffic to the Go backend.
-	# Reverse-proxy all requests to the Go API, forwarding Host + auth headers
+	# 	- Reverse-proxy all requests to the Go API, forwarding Host + auth headers.
+	#	- to: Tell Caddy which upstream to send to.
+	#	- header_up: Preserve the original Host header.
+	#	- header_up X-*: Forward the client headers.
 	handle_path /api/* {
 		reverse_proxy {
-			# Tell Caddy which upstream to send to
 			to api:8080
 
-			# Preserve the original Host header
 			header_up Host {host}
-
-			# Forward the client-sent auth headers
 			header_up X-API-Username {http.request.header.X-API-Username}
 			header_up X-API-Key {http.request.header.X-API-Key}
 			header_up X-API-Signature {http.request.header.X-API-Signature}
 
-			# *** DEBUG: echo back to client what Caddy actually saw ***
-			# header_down X-Debug-Username {http.request.header.X-API-Username}
-			# header_down X-Debug-Key {http.request.header.X-API-Key}
-			# header_down X-Debug-Signature {http.request.header.X-API-Signature}
-
-			# Transport timeouts
 			transport http {
 				dial_timeout 10s
 				response_header_timeout 30s
 			}
 		}
 	}
+
+	# Default handler.
+	# 	- Route all other traffic to the Vue frontend app.
+	#	- `web_caddy_prod` is the Vue app's container name.
+	# 	- source: https://github.com/oullin/web
+	handle {
+		reverse_proxy web_caddy_prod:80
+	}
 }
diff --git a/caddy/reademe.md b/caddy/reademe.md
new file mode 100644
index 00000000..eeedf665
--- /dev/null
+++ b/caddy/reademe.md
@@ -0,0 +1,8 @@
+# Caddy
+
+### Debugging Headers
+```html
+header_down X-Debug-Username {http.request.header.X-API-Username}
+header_down X-Debug-Key {http.request.header.X-API-Key}
+header_down X-Debug-Signature {http.request.header.X-API-Signature}
+```

From 347356e1135bb196112d1d00be8f1754af57f153 Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 13:23:32 +0800
Subject: [PATCH 3/7] doc

---
 caddy/Caddyfile.prod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index 0d4cf47d..a499a7d0 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -26,7 +26,7 @@ oullin.io {
 		format json
 	}
 
-	# Route API traffic to the Go backend.
+	# API handler.
 	# 	- Reverse-proxy all requests to the Go API, forwarding Host + auth headers.
 	#	- to: Tell Caddy which upstream to send to.
 	#	- header_up: Preserve the original Host header.

From 83be88f2c0b3260a0741e0f0835c79957b89dd8e Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 13:26:12 +0800
Subject: [PATCH 4/7] format

---
 caddy/Caddyfile.local | 12 ++++--------
 caddy/Caddyfile.prod  |  1 -
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/caddy/Caddyfile.local b/caddy/Caddyfile.local
index dcb83ea2..ecf2a419 100644
--- a/caddy/Caddyfile.local
+++ b/caddy/Caddyfile.local
@@ -1,14 +1,11 @@
-# Filename: caddy/Caddyfile
-
 # This global options block explicitly disables Caddy's automatic HTTPS feature.
-# This is the most reliable way to ensure Caddy acts as a simple HTTP proxy.
+# This is the most reliable way to ensure Caddy acts as a simple HTTP proxy locally.
 {
     auto_https off
 }
 
-# This is a robust configuration for a containerized environment.
 # It tells Caddy to listen on its internal port 80 for any incoming hostname.
-# Docker Compose maps your host port (8080) to this container port.
+# Docker maps our host port (8080) to this container port.
 :80 {
     # Define a logging format for easier debugging.
     log {
@@ -17,8 +14,7 @@
     }
 
     # Reverse proxy all incoming requests to the 'api' service.
-    # The service name 'api' is resolved by Docker's internal DNS to the
-    # correct container IP on the 'caddy_net' network.
-    # The API container listens on port 8080 (from your ENV_HTTP_PORT).
+    # 	- The service name 'api' is resolved by Docker's internal DNS to the correct container IP on the 'caddy_net' network.
+    # 	- The API container listens on port 8080 (from the ENV_HTTP_PORT).
     reverse_proxy api:8080
 }
diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index a499a7d0..ff93b9c9 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -1,4 +1,3 @@
-# Filename: caddy/Caddyfile.prod
 # Caddy will automatically provision a Let's Encrypt certificate.
 
 oullin.io {

From 56cd470b264259ce38a0075a26d6884eb26f5ded Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 13:27:40 +0800
Subject: [PATCH 5/7] caddy validator

---
 caddy/Caddyfile.local  | 20 ++++++++++----------
 config/makefile/app.mk |  9 ++++++---
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/caddy/Caddyfile.local b/caddy/Caddyfile.local
index ecf2a419..0a9cf6ff 100644
--- a/caddy/Caddyfile.local
+++ b/caddy/Caddyfile.local
@@ -1,20 +1,20 @@
 # This global options block explicitly disables Caddy's automatic HTTPS feature.
 # This is the most reliable way to ensure Caddy acts as a simple HTTP proxy locally.
 {
-    auto_https off
+	auto_https off
 }
 
 # It tells Caddy to listen on its internal port 80 for any incoming hostname.
 # Docker maps our host port (8080) to this container port.
 :80 {
-    # Define a logging format for easier debugging.
-    log {
-        output stdout
-        format console
-    }
+	# Define a logging format for easier debugging.
+	log {
+		output stdout
+		format console
+	}
 
-    # Reverse proxy all incoming requests to the 'api' service.
-    # 	- The service name 'api' is resolved by Docker's internal DNS to the correct container IP on the 'caddy_net' network.
-    # 	- The API container listens on port 8080 (from the ENV_HTTP_PORT).
-    reverse_proxy api:8080
+	# Reverse proxy all incoming requests to the 'api' service.
+	# 	- The service name 'api' is resolved by Docker's internal DNS to the correct container IP on the 'caddy_net' network.
+	# 	- The API container listens on port 8080 (from the ENV_HTTP_PORT).
+	reverse_proxy api:8080
 }
diff --git a/config/makefile/app.mk b/config/makefile/app.mk
index e7c52b54..c1ad5aee 100644
--- a/config/makefile/app.mk
+++ b/config/makefile/app.mk
@@ -1,6 +1,7 @@
 .PHONY: fresh audit watch format run-cli validate-caddy
 
-APP_CADDY_CONFIG_FILE ?= caddy/Caddyfile.prod
+APP_CADDY_CONFIG_PROD_FILE ?= caddy/Caddyfile.prod
+APP_CADDY_CONFIG_LOCAL_FILE ?= caddy/Caddyfile.local
 
 format:
 	gofmt -w -s .
@@ -54,5 +55,7 @@ run-cli:
 # --- Mac:
 #     Needs to be locally installed: https://formulae.brew.sh/formula/caddy
 validate-caddy:
-	caddy fmt --overwrite $(APP_CADDY_CONFIG_FILE)
-	caddy validate --config $(APP_CADDY_CONFIG_FILE)
+	caddy fmt --overwrite $(APP_CADDY_CONFIG_PROD_FILE)
+	caddy validate --config $(APP_CADDY_CONFIG_PROD_FILE)
+	caddy fmt --overwrite $(APP_CADDY_CONFIG_LOCAL_FILE)
+	caddy validate --config $(APP_CADDY_CONFIG_LOCAL_FILE)

From c71a9faa236a87613ad4590431a879787db00749 Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 13:30:21 +0800
Subject: [PATCH 6/7] syntax

---
 caddy/Caddyfile.prod | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index ff93b9c9..e99606bc 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -31,9 +31,7 @@ oullin.io {
 	#	- header_up: Preserve the original Host header.
 	#	- header_up X-*: Forward the client headers.
 	handle_path /api/* {
-		reverse_proxy {
-			to api:8080
-
+		reverse_proxy to api:8080 {
 			header_up Host {host}
 			header_up X-API-Username {http.request.header.X-API-Username}
 			header_up X-API-Key {http.request.header.X-API-Key}

From 5b7cccc7b7cdd1d6a29b2b08593a1d6f9c28aeca Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 13:35:47 +0800
Subject: [PATCH 7/7] typo

---
 caddy/{reademe.md => readme.md} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename caddy/{reademe.md => readme.md} (83%)

diff --git a/caddy/reademe.md b/caddy/readme.md
similarity index 83%
rename from caddy/reademe.md
rename to caddy/readme.md
index eeedf665..f91b34c0 100644
--- a/caddy/reademe.md
+++ b/caddy/readme.md
@@ -1,7 +1,7 @@
-# Caddy
+# Debugging
 
-### Debugging Headers
-```html
+### Headers
+```text
 header_down X-Debug-Username {http.request.header.X-API-Username}
 header_down X-Debug-Key {http.request.header.X-API-Key}
 header_down X-Debug-Signature {http.request.header.X-API-Signature}