xtablo-source/backend/deploy/Caddyfile

# Caddy reverse proxy configuration for Xtablo production.
#
# Caddy automatically:
#   - Provisions a TLS certificate via Let's Encrypt (ACME) when a domain name is provided.
#   - Redirects HTTP (port 80) to HTTPS (port 443).
#   - Renews the certificate before it expires.
#
# Required environment variable:
#   DOMAIN — set this to your production domain in .env.prod (e.g. app.yourdomain.com).
#   Caddy reads {$DOMAIN} from the environment at startup.
#
# Let's Encrypt staging note (RESEARCH Pitfall 4):
#   Let's Encrypt enforces rate limits (5 duplicate certificates per week per domain).
#   For initial setup and testing, add a global block to use the staging endpoint:
#
#     {
#       acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
#     }
#
#   Remove the global block (or comment it out) before going live to switch to
#   production certificates. The caddy_data volume must be cleared between staging
#   and production to avoid certificate cache conflicts.

{$DOMAIN} {
    reverse_proxy web:8080
}
feat(07-03): add docker-compose.prod.yaml and deploy/Caddyfile - Production compose stack with postgres, web, worker, caddy services (D-01..D-04, D-08) - postgres service has no host ports binding (internal network only, T-07-09 mitigated) - web and worker use same image with different command: values (/app/web, /app/worker) - Both web and worker depend_on postgres with service_healthy condition (T-07-12 mitigated) - Caddy handles TLS via Let's Encrypt with persistent caddy_data and caddy_config volumes (D-04) - Caddyfile uses {$DOMAIN} env var interpolation for the site block (RESEARCH Pattern 6) - Caddyfile includes Let's Encrypt staging note to avoid rate limits (RESEARCH Pitfall 4) 2026-05-15 16:23:13 +00:00			`# Caddy reverse proxy configuration for Xtablo production.`
			`#`
			`# Caddy automatically:`
			`# - Provisions a TLS certificate via Let's Encrypt (ACME) when a domain name is provided.`
			`# - Redirects HTTP (port 80) to HTTPS (port 443).`
			`# - Renews the certificate before it expires.`
			`#`
			`# Required environment variable:`
			`# DOMAIN — set this to your production domain in .env.prod (e.g. app.yourdomain.com).`
			`# Caddy reads {$DOMAIN} from the environment at startup.`
			`#`
			`# Let's Encrypt staging note (RESEARCH Pitfall 4):`
			`# Let's Encrypt enforces rate limits (5 duplicate certificates per week per domain).`
			`# For initial setup and testing, add a global block to use the staging endpoint:`
			`#`
			`# {`
			`# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory`
			`# }`
			`#`
			`# Remove the global block (or comment it out) before going live to switch to`
			`# production certificates. The caddy_data volume must be cleared between staging`
			`# and production to avoid certificate cache conflicts.`

			`{$DOMAIN} {`
			`reverse_proxy web:8080`
			`}`