# Caddyfile for DigiErbe Tresor
tresor.example.com {
  # enable TLS encryption
  tls internal

  #PHP
  php_fastcgi unix//run/php/php-fpm.sock

  # Root directory
  root * /Pfad/Zu/DigiErbe/Tresor/public

  # Authentication
  basic_auth {
    ownerName $2a$14$SetHashedPasswordHere
    allowedName $2a$14$SetHashedPasswordHere
  }

  # Activate file server in Caddy
  file_server

  # Redirect all requests to index.php
  try_files {path} /index.php

  # Security headers
  header {
    -Server
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    X-XSS-Protection "1; mode=block"
  }

  # Add authenticated username as HTTP Header to the request
  header_down +X-WEBAUTH-USER {http.auth.user.id}

  # Protokoll
  log {
    output file /var/log/caddy/DigiErbe/tresor.log
  }
}