# Caddyfile snippet for ambrosio host Caddy. # Install path: /etc/caddy/Caddyfile (append these blocks). # Reload: sudo systemctl reload caddy # # Docker services bind to 127.0.0.1 only; this file is the public entrypoint. # TLS certificates are issued automatically by Caddy via Let's Encrypt. # ── App + Supabase (single domain) ────────────────────────────────────────── erosi.oier.ovh { encode zstd gzip # Supabase API paths → Kong gateway. # Realtime MUST come before /auth, /rest, /storage to match its WS upgrade path first. @supabase path /auth/v1/* /rest/v1/* /storage/v1/* /realtime/v1/* /graphql/v1/* /pg/* handle @supabase { # Realtime WebSockets require a long read timeout; PostgREST benefits from # flush_interval for streaming responses. Caddy handles WS upgrades natively. reverse_proxy 127.0.0.1:8000 { transport http { read_timeout 3600s } header_up X-Real-IP {remote_host} } } # Everything else → SvelteKit Node server. handle { reverse_proxy 127.0.0.1:3000 { header_up X-Real-IP {remote_host} } } } # ── Keycloak ──────────────────────────────────────────────────────────────── auth.oier.ovh { encode zstd gzip # Keycloak 24 with KC_PROXY=edge uses the X-Forwarded-* headers that Caddy # already sets automatically on every reverse_proxy (Proto, For, Host). # Only X-Forwarded-Port is not default, so we add it explicitly — without # it Keycloak builds redirect URIs with the internal port (8080). reverse_proxy 127.0.0.1:8090 { header_up X-Real-IP {remote_host} header_up X-Forwarded-Port {server_port} } }