packages.wenpai.net/deploy/ansible/roles/caddy/templates/Caddyfile.j2

{{ app_domain }} {
	# TLS via Cloudflare origin certificate
	tls /etc/caddy/certs/origin.pem /etc/caddy/certs/origin-key.pem

	# Compression
	encode gzip zstd

	# Security headers
	header {
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}

	# Strip trailing slashes (redirect to canonical non-slash URL)
	@trailing_slash path_regexp trailing ^(.+)/$
	redir @trailing_slash {re.trailing.1} permanent

	# Reverse proxy to Go app — retry during restarts for zero-downtime deploys
	reverse_proxy {{ go_upstream_addr | default("localhost" ~ go_listen_addr) }} {
		header_up X-Real-IP {remote_host}
		lb_try_duration 10s
		lb_try_interval 100ms
		fail_duration 10s
	}
}