# neuronetz-gateway — Caddy reverse proxy (SPEC §4.1, §6.5). # # Caddy is the only public-facing component. It terminates TLS (HTTP/2 + HTTP/3), # obtains a Let's Encrypt certificate for api.neuronetz.ai automatically, applies # security headers, and reverse-proxies to the internal-only gateway:8080. # # Copy this file to `Caddyfile` and edit the site address / admin email. # The production docker-compose.yml mounts it at /etc/caddy/Caddyfile. { # Email for Let's Encrypt account + expiry notices. Replace before deploy. email ops@neuronetz.ai } api.neuronetz.ai { # --- Reverse proxy to the internal gateway --- # `gateway` is the Docker service name on the internal network; it is never # published to the host. Caddy forwards plain HTTP/1.1 to it. reverse_proxy gateway:8080 # --- Security headers --- header { # HSTS: force HTTPS for two years, include subdomains, allow preload. Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # Disable MIME sniffing. X-Content-Type-Options "nosniff" # Clickjacking defense (API has no UI, deny framing outright). X-Frame-Options "DENY" # Conservative referrer policy. Referrer-Policy "no-referrer" # Strip server-identifying headers so we don't advertise the stack. -Server -X-Powered-By } # Structured access logs to stdout (collected by the container runtime). log { output stdout format json } } # ───────────────────────────────────────────────────────────────────────────── # DEV / LOCAL note: # # For local testing without a public domain or real certificate, replace the # site block above with a localhost block that uses Caddy's internal self-signed # CA (no Let's Encrypt round-trip): # # localhost { # tls internal # reverse_proxy gateway:8080 # } # # Caddy will install its local root CA; trust it or pass `-k` to curl. Note the # Phase 1 *dev* compose stack (docker-compose.dev.yml) ships WITHOUT Caddy and # exposes the gateway directly on localhost:8080 — this file is for the full # production stack only. # ─────────────────────────────────────────────────────────────────────────────