{
  order rate_limit before basicauth
}

# Simple caddy config, handles SSL and forwards everything to varnish
{$CADDY_SITES} {
  # Import a snippet that will generate a self-signed certificate by default.
  # To generate a real certificate, bind-mount an empty file here and then
  # put your real TLS config in a file in the snippets directory
  import tls-self-signed-snippets/*.snippet

  # Import a snippet that will restrict connections to the admin endpoint
  # to the localhost
  import local-admin-only-snippets/*.snippet

  import snippets/*.snippet

  # Block API abusers outright
  @blacklisted_ips remote_ip 185.238.72.170 185.130.44.60 24.209.251.17
  respond @blacklisted_ips 403

  # rate limit users by IP to 600 requests per minute
  rate_limit {
    zone apilimit {
      key {remote_host}
      events 600
      window 1m
    }
  }

  # Handle CORS pre-flight checks here, instead of passing them through
  @cors_preflight method OPTIONS
  handle @cors_preflight {
    header Access-Control-Allow-Origin "*"
    header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
    header Access-Control-Allow-Headers "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range"
    header Access-Control-Max-Age "3600"
    respond 204
  }


  # reverse-proxy to the admin tools
  redir /admin /admin/

  # restrict the /admin endpoints to the specified protocol.  This is for the
  # usual case where you use basicauth to protect the endpoint, and want to prevent
  # it from being accessed via http.
  @admin_wrong_protocol {
    not protocol {$ADMIN_ENDPOINT_PROTOCOL}
    path /admin/*
  }
  respond @admin_wrong_protocol "Admin endpoints are only accessible via {$ADMIN_ENDPOINT_PROTOCOL}" 403
  @admin {
    protocol {$ADMIN_ENDPOINT_PROTOCOL}
    path /admin/*
  }
  handle @admin {
    uri strip_prefix /admin
    import admin-snippets/*.snippet

    # Route /admin/pgadmin to pgAdmin
    redir /pgadmin /admin/pgadmin/
    handle_path /pgadmin/* {
      reverse_proxy http://pgadmin {
        header_up X-Script-Name "/admin/pgadmin"
      }
    }

    # Route /admin/pgadmin to pghero
    redir /pghero /admin/pghero/
    handle_path /pghero/* {
      rewrite * /admin/pghero{uri}
      reverse_proxy http://pghero:8080
    }

    # Route /admin/haproxy to haproxy's stats page
    redir /haproxy /admin/haproxy/
    handle_path /haproxy/* {
      rewrite * /admin/haproxy{uri}
      reverse_proxy http://haproxy:8000
    }

    # # Route /admin/graphite to graphite's UI
    # # (graphite) is commented-out in jussi's yaml file
    # redir /graphite /admin/graphite/
    # handle_path /graphite/* {
    #   rewrite * /admin/graphite{uri}
    #   reverse_proxy http://graphite:8080
    # }

    redir /pgbadger /admin/pgbadger/
    handle_path /pgbadger/* {
      @pgbadger_report_missing not file {
        root /etc/caddy/pgbadger
        try_files index.html
      }

      redir @pgbadger_report_missing /admin/pgbadger_instructions
      root * /etc/caddy/pgbadger
      file_server
    }

    # Route /admin/versions to the version display app
    redir /versions /admin/versions/
    handle_path /versions/* {
      reverse_proxy http://version-display
    }

    root * /etc/caddy/admin_html
    file_server
  }

  # Route all POST calls to the root URL to jussi/drone (assume they're old-style JSON-RPC calls)
  @post_to_root {
    method POST
    path /
  }
  handle @post_to_root {
    # Add CORS headers
    header {
      Access-Control-Allow-Origin "*"
      Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
      Access-Control-Allow-Headers "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range"
      Access-Control-Max-Age "3600"
    }
    reverse_proxy http://{$JSONRPC_API_SERVER_NAME}:9000 {
      # remove any CORS headers sent by jussi/drone so we don't have duplicates
      header_down -Access-Control-Allow-Origin
      header_down -Access-Control-Allow-Methods
      header_down -Access-Control-Allow-Headers
      header_down -Access-Control-Max-Age
      # we're not overriding these, they're added by drone but not necessary
      header_down -Access-Control-Allow-Credentials
      header_down -Access-Control-Expose-Headers
    }
  }

  @rest_apis {
    path /hafah-api/* /balance-api/* /reputation-api/* /hafbe-api/* 
  }

  handle @rest_apis {
    # Add CORS headers
    header {
      Access-Control-Allow-Origin "*"
      Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
      Access-Control-Allow-Headers "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range"
      Access-Control-Max-Age "3600"
    }
    reverse_proxy http://varnish {
      # remove any CORS headers sent by the rest api servers so we don't have duplicates
      # (right now, postgrest doesn't add any of these headers, this is just defensive)
      header_down -Access-Control-Allow-Origin
      header_down -Access-Control-Allow-Methods
      header_down -Access-Control-Allow-Headers
      header_down -Access-Control-Max-Age
    }
  }

  # Route everything else (currently just swagger documentation)
  reverse_proxy http://swagger:8080
}
