# honeyDue edge proxy — terminates HTTP from Cloudflare, routes by Host header.
#
# Cloudflare is in front, SSL mode "Flexible" — CF terminates TLS at the edge
# and talks to this origin over plain HTTP on port 80. No LE certs needed here
# for now. Later, to go "Full (strict)", remove `auto_https off`, add `tls` blocks
# that use the ACME HTTP-01 challenge, and open 443 on the node.

{
    admin off
    auto_https off
}

# api.myhoneydue.com  → Go REST API
# `dynamic a` re-resolves the Swarm service DNS every 30s instead of caching
# the IP forever at config parse. This is critical on Swarm with endpoint_mode:
# dnsrr — when a task restarts, its overlay IP changes, and static DNS caching
# leaves Caddy dialing dead IPs.
api.myhoneydue.com:80 {
    reverse_proxy {
        dynamic a {
            name api
            port 8000
            refresh 30s
        }
        header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
    }
}

# admin.myhoneydue.com → Next.js admin panel via overlay DNS (VIP endpoint)
#
# This relies on Swarm's embedded resolver, which has a known libnetwork
# stale-record bug (moby/moby#52265, affects 29.x). We work around it by
# (a) using default VIP endpoint_mode — a stable service IP — and
# (b) running a clean overlay from scratch (see Phase 1 stack recreate).
#
# If ghosts come back, the long-term fix is Traefik w/ Swarm provider that
# reads task IPs from Docker API, bypassing libnetwork DNS entirely. See
# deploy/MIGRATION_NOTES.md for the Traefik migration plan.
admin.myhoneydue.com:80 {
    reverse_proxy admin:3000 {
        lb_try_duration 3s
        lb_try_interval 250ms
        header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
    }
}

# Catch-all for root/unknown hostnames hitting our IPs directly.
# Cloudflare SSL=Flexible will still hit us on :80 for myhoneydue.com; return
# a placeholder until you wire a real marketing site.
:80 {
    respond "honeyDue" 200
}