goonblog.thevakhovske.eu.org {
    # Enable automatic HTTPS
    # Caddy will automatically get and renew SSL certificates

    # Serve the React frontend (static files)
    root * dist
    
    # Try to serve static files first, then fallback to index.html for SPA routing
    try_files {path} /index.html
    
    # API routes - proxy to backend
    handle /api/* {
        reverse_proxy localhost:3001
    }
    
    # Health check endpoint
    handle /health {
        reverse_proxy localhost:3001
    }
    
    # Serve static files with proper headers
    header /assets/* {
        Cache-Control "public, max-age=31536000, immutable"
    }
    
    # Security headers
    header {
        # Enable HSTS
        Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        
        # Prevent clickjacking
        X-Frame-Options "DENY"
        
        # Prevent MIME type sniffing
        X-Content-Type-Options "nosniff"
        
        # XSS protection
        X-XSS-Protection "1; mode=block"
        
        # Referrer policy
        Referrer-Policy "strict-origin-when-cross-origin"
        
        # Content Security Policy (adjust as needed)
        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;"
    }
    
    # Gzip compression
    encode gzip
    
    # Logging
    log {
        output file /var/log/caddy/gooneral-wheelchair.log
        format json
    }
}