Caddyfile

# FlatRender V2 — Caddy reverse proxy
#
# Domains are injected via environment variables so this file is environment-agnostic.
# Set in .env.v2:
#   DOMAIN          e.g.  flatrender.io          (→ https://flatrender.io)
#   API_DOMAIN      e.g.  api.flatrender.io       (→ https://api.flatrender.io)
#   STORAGE_DOMAIN  e.g.  storage.flatrender.io   (→ https://storage.flatrender.io)
#
# Caddy auto-provisions Let's Encrypt TLS for all three. For local dev without
# real domains, replace with http:// blocks and remove the ACME config.

{env.DOMAIN} {
    # Frontend (Next.js standalone, port 3000 inside Docker)
    reverse_proxy frontend:3000

    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        X-Frame-Options           "SAMEORIGIN"
        Referrer-Policy           "strict-origin-when-cross-origin"
        -Server
    }

    encode gzip
}

{env.API_DOMAIN} {
    # V2 API gateway (port 8080 inside Docker)
    reverse_proxy gateway:8080

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        -Server
    }

    # Allow large body for file uploads routed through the gateway
    request_body {
        max_size 512MB
    }
}

{env.STORAGE_DOMAIN} {
    # MinIO S3 API (port 9000 inside Docker) — used for presigned URL downloads
    reverse_proxy minio:9000

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options    "nosniff"
        -Server
    }

    # Pre-flight (CORS) passthrough — MinIO handles its own CORS headers
    @options method OPTIONS
    respond @options 204
}
feat: complete node-agent pipeline, TLS proxy, billing cancel, password reset 2026-06-01 16:41:13 +03:30			`# FlatRender V2 — Caddy reverse proxy`
			`#`
			`# Domains are injected via environment variables so this file is environment-agnostic.`
			`# Set in .env.v2:`
			`# DOMAIN e.g. flatrender.io (→ https://flatrender.io)`
			`# API_DOMAIN e.g. api.flatrender.io (→ https://api.flatrender.io)`
			`# STORAGE_DOMAIN e.g. storage.flatrender.io (→ https://storage.flatrender.io)`
			`#`
			`# Caddy auto-provisions Let's Encrypt TLS for all three. For local dev without`
			`# real domains, replace with http:// blocks and remove the ACME config.`

			`{env.DOMAIN} {`
			`# Frontend (Next.js standalone, port 3000 inside Docker)`
			`reverse_proxy frontend:3000`

			`# Security headers`
			`header {`
			`Strict-Transport-Security "max-age=31536000; includeSubDomains"`
			`X-Content-Type-Options "nosniff"`
			`X-Frame-Options "SAMEORIGIN"`
			`Referrer-Policy "strict-origin-when-cross-origin"`
			`-Server`
			`}`

			`encode gzip`
			`}`

			`{env.API_DOMAIN} {`
			`# V2 API gateway (port 8080 inside Docker)`
			`reverse_proxy gateway:8080`

			`header {`
			`Strict-Transport-Security "max-age=31536000; includeSubDomains"`
			`X-Content-Type-Options "nosniff"`
			`-Server`
			`}`

			`# Allow large body for file uploads routed through the gateway`
			`request_body {`
			`max_size 512MB`
			`}`
			`}`

			`{env.STORAGE_DOMAIN} {`
			`# MinIO S3 API (port 9000 inside Docker) — used for presigned URL downloads`
			`reverse_proxy minio:9000`

			`header {`
			`Strict-Transport-Security "max-age=31536000; includeSubDomains"`
			`X-Content-Type-Options "nosniff"`
			`-Server`
			`}`

			`# Pre-flight (CORS) passthrough — MinIO handles its own CORS headers`
			`@options method OPTIONS`
			`respond @options 204`
			`}`