# Port map (final): # 9000 Caddy HTTP (redirect + ACME webroot) # 9001 Caddy HTTPS # 9010 taler-hacktivism (merchant nginx TLS) # 9011 taler-exchange-hacktivism (exchange httpd) # 9012 taler-bank-hacktivism (libeufin-bank) { email info+koopa@hacktivism.ch http_port 9000 https_port 9001 auto_https disable_redirects # Caddy listens on 9001 behind VeciGate/https-proxy :443. # Default HTTP/3 would send Alt-Svc: h3=":9001" which browsers then try # on the public host — port 9001 is not the public HTTPS entry (443 is). # That breaks sites after first visit (especially dual-stack clients). servers { protocols h1 h2 } } taler.hacktivism.ch { tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem header Alt-Svc "clear" reverse_proxy https://127.0.0.1:9010 { transport http { tls_insecure_skip_verify } header_up Host {host} } } exchange.hacktivism.ch { tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem header Alt-Svc "clear" reverse_proxy 127.0.0.1:9011 { header_up Host {host} } } bank.hacktivism.ch { header Alt-Svc "clear" handle_path /intro/* { root * /var/www/bank-landing file_server } redir /intro /intro/ 302 redir / /intro/ 302 reverse_proxy 127.0.0.1:9012 { header_up Host {host} } } http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch { handle /.well-known/acme-challenge/* { root * /var/www/acme file_server } handle { redir https://{host}{uri} permanent } }