# auto_https off would disable TLS entirely, breaking `tls internal` for the # air-gap mirror vhosts. disable_redirects keeps the apex/auth/packwiz sites # plaintext on :80 (they use explicit http://) while still allowing internal # TLS on the mirror hosts below. { auto_https disable_redirects } http://{$BASE_DOMAIN} { # Launcher downloads live in a sibling mount (not nested under /srv/www, # which is a read-only mount → can't create a nested mountpoint). # handle_path strips the /launcher prefix before serving /srv/launcher. handle_path /launcher/* { root * /srv/launcher file_server browse } handle { root * /srv/www file_server } } http://auth.{$BASE_DOMAIN} { reverse_proxy drasl:25585 } http://packwiz.{$BASE_DOMAIN} { root * /srv/pack file_server browse } # Full client air-gap mirror (see plan/11-full-airgap-mirror.md): byte-exact # copies of the real upstream hosts served over HTTPS with Caddy's local CA. # dnsmasq spoofs these hostnames -> our host; the {host} placeholder roots each # hostname at its own mirror subtree. Guests import the Caddy root CA once. meta.prismlauncher.org, piston-meta.mojang.com, piston-data.mojang.com, libraries.minecraft.net, maven.neoforged.net, resources.download.minecraft.net { tls internal root * /srv/mirror/{host} file_server }