# Internal only (not in the browser URL): # 9010 merchant API | 9011 exchange API | 9012 bank API # 9013 bank landing | 9014 exchange landing | 9015 merchant landing # 9020 castopod | 9021 bonfire | 9022 prime | 9023 bt | 9024 forgejo | 9200 forgejo-ssh { email info+koopa@hacktivism.ch http_port 9000 https_port 9001 auto_https disable_redirects # Caddy listens on 9001 behind VeciGate/https-proxy :443. # Default HTTP/3 would send Alt-Svc: h3=":9001" — break public HTTPS on :443. servers { protocols h1 h2 } } (proxy_public) { header_up Host {host} header_up X-Forwarded-Host {host} header_up X-Forwarded-Proto {scheme} header_up X-Forwarded-Port 443 header_down Location "^https?://[^/]+:90[0-9]{2}(.*)$" "https://{host}$1" } taler.hacktivism.ch { tls /etc/caddy/certs/taler.hacktivism.ch/fullchain.pem /etc/caddy/certs/taler.hacktivism.ch/privkey.pem header Alt-Svc "clear" # Public landing first redir / /intro/ 302 handle /intro* { reverse_proxy 127.0.0.1:9015 { import proxy_public } } # SPA: /webui → /webui/ redir /webui /webui/ 302 # Merchant API + WebUI (nginx :9010 → unix socket) reverse_proxy https://127.0.0.1:9010 { transport http { tls_insecure_skip_verify } import proxy_public } } exchange.hacktivism.ch { tls /etc/caddy/certs/exchange.hacktivism.ch/fullchain.pem /etc/caddy/certs/exchange.hacktivism.ch/privkey.pem header Alt-Svc "clear" # Public landing first redir / /intro/ 302 handle /intro* { reverse_proxy 127.0.0.1:9014 { import proxy_public } } reverse_proxy 127.0.0.1:9011 { import proxy_public } } bank.hacktivism.ch { header Alt-Svc "clear" # Public landing first redir / /intro/ 302 handle /intro* { reverse_proxy 127.0.0.1:9013 { import proxy_public } } # Static terms/privacy on landing nginx :9013 handle /terms* { reverse_proxy 127.0.0.1:9013 { import proxy_public } } handle /privacy* { reverse_proxy 127.0.0.1:9013 { import proxy_public } } reverse_proxy 127.0.0.1:9012 { import proxy_public } } castopod.hacktivism.ch { header Alt-Svc "clear" reverse_proxy 127.0.0.1:9020 { header_up Host {host} header_up X-Forwarded-For {remote_host} } } bonfire.hacktivism.ch { header Alt-Svc "clear" reverse_proxy 127.0.0.1:9021 { header_up Host {host} header_up X-Forwarded-For {remote_host} flush_interval -1 } } prime.hacktivism.ch { header Alt-Svc "clear" reverse_proxy 127.0.0.1:9022 { header_up Host {host} header_up X-Forwarded-For {remote_host} flush_interval -1 } } bt.hacktivism.ch { header Alt-Svc "clear" reverse_proxy 127.0.0.1:9023 { header_up Host {host} header_up X-Forwarded-For {remote_host} } } http://taler.hacktivism.ch, http://exchange.hacktivism.ch, http://bank.hacktivism.ch, http://castopod.hacktivism.ch, http://bonfire.hacktivism.ch, http://prime.hacktivism.ch, http://bt.hacktivism.ch { handle /.well-known/acme-challenge/* { root * /var/www/acme file_server } handle { redir https://{host}{uri} permanent } } # 9024 forgejo HTTP (SSH :9200 host-direct, not via Caddy) git.hacktivism.ch { header Alt-Svc "clear" reverse_proxy 127.0.0.1:9024 { header_up Host {host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} flush_interval -1 transport http { read_timeout 3600s write_timeout 3600s } } }