{
  http_port {{ caddy_http_port }}
  https_port {{ caddy_https_port }}
{% if caddy_default_bind != "" %}
  default_bind {{ caddy_default_bind }}
{% endif %}
  order geoip2_vars first
  order coraza_waf first
  admin off
  persist_config off

{% if caddy_geoip_account_id != None and caddy_geoip_license_key != None %}
  geoip2 {
    accountId         "{{ caddy_geoip_account_id }}"
    licenseKey        "{{ caddy_geoip_license_key }}"
    databaseDirectory "{{ caddy_home_dir }}"
    lockFile          "{{ caddy_home_dir }}/.geoip2.lock"
    editionID         "{{ caddy_geoip_edition_ids }}"
    updateUrl         "https://updates.maxmind.com"
    updateFrequency   {{ caddy_geoip_update_frequency }}
  }
{% endif %}

{% if caddy_email | default(None) != None %}
  email "{{ caddy_email }}"
{% endif %}

{% if caddy_ca_root | default(None) != None %}
  tls {
    ca_root "{{ caddy_ca_root }}"
  }
{% endif %}

{% if caddy_debug %}
  log {
    format json
    level DEBUG
    output file {{ caddy_log_dir }}/debug.log
  }
{% endif %}

  log waf {
    format json
    include "http.handlers.waf"
    output file {{ caddy_log_dir }}/waf.log
  }
}

# 0=origin, 1=methods, 2=headers, 3=allow credentials, 4=max age, 5=vary, 6=expose headers
(cors) {
  @match-cors-preflight-{args.0} {
    header Origin {args.0}
    method OPTIONS
  }
  header @match-cors-preflight-{args.0} {
    Access-Control-Allow-Origin "{args.0}"
    Access-Control-Allow-Methods "{args.1}"
    Access-Control-Allow-Headers "{args.2}"
    Access-Control-Allow-Credentials "{args.3}"
    Access-Control-Max-Age "{args.4}"
    Vary "{args.5}"
  }
  handle @match-cors-preflight-{args.0} {
    respond "" 204
  }

  @match-cors-request-{args.0} {
    header Origin {args.0}
    not method OPTIONS
  }
  header @match-cors-request-{args.0} {
    >Access-Control-Allow-Origin "{args.0}"
    >Access-Control-Allow-Credentials "{args.3}"
    >Vary "{args.5}"
    >Access-Control-Expose-Headers "{args.6}"
  }
}

(cors-deny) {
  @cors-preflight-deny method OPTIONS
  handle @cors-preflight-deny {
    respond "" 403
  }
}

{% for site in caddy_sites %}

{% if (site.site_redirect_from_aliases | default(caddy_sites_defaults.site_redirect_from_aliases)) and (site.site_aliases | default([]) | length) > 0 %}

{{ site.site_aliases | join(', ') }} {
  redir https://{{ site.name }}{uri}
}

{% else %}

{% for alias in site.site_aliases | default(caddy_sites_defaults.site_aliases) %}
{{ alias }},
{% endfor %}
{% endif %}
{{ site.name }} {
  encode gzip zstd

{% for path in site.paths %}
  handle {{ path.path | default('*') }} {
    reverse_proxy {
      to {{ path.addrs | join(' ') }}
      header_up X-Real-IP {remote}
      lb_policy {{ site.proxy_lb_policy | default(caddy_sites_defaults.proxy_lb_policy) }}
      # Active checks
#     health_uri /
#     health_interval 10s
#     health_timeout 5s
#     health_status 200
      # Passive checks
      fail_duration 30s
      max_fails 3
      unhealthy_latency 2000ms
      transport http {
#       tls_server_name {host}
#       tls_insecure_skip_verify
      }
    }
  }
{% endfor %}

{% if site.custom_cert | default (false) %}
  tls {{ site.custom_cert_file }} {{ site.custom_cert_key_file }}
{% endif %}

{% if site.filter_blacklist | default(caddy_sites_defaults.filter_blacklist) | length > 0 %}
  @blocked {
{% for ip in site.filter_blacklist | default(caddy_sites_defaults.filter_blacklist) %}
    remote_ip {{ ip }}
{% endfor %}
  }
  respond @blocked "Access Denied" 403
{% endif %}

{% if site.geoip | default(caddy_sites_defaults.geoip) %}
  geoip2_vars strict
  @geofilter expression {{ site.geoip_filter_expression | default(caddy_sites_defaults.geoip_filter_expression) }}
  respond @geofilter "Access Denied" 403

{% if site.geoip_debug | default(caddy_sites_defaults.geoip_debug) %}
  header x-geoip-is-anonymous              "{geoip2.is_anonymous}"
  header x-geoip-is-anonymous-vpn          "{geoip2.is_anonymous_vpn}"
  header x-geoip-is-hosting-provider       "{geoip2.is_hosting_provider}"
  header x-geoip-is-public-proxy           "{geoip2.is_public_proxy}"
  header x-geoip-is-residential-proxy      "{geoip2.is_residential_proxy}"
  header x-geoip-is-tor-exit-node          "{geoip2.is_tor_exit_node}"
  header x-geoip-connection-type           "{geoip2.connection_type}"
  header x-geoip-domain                    "{geoip2.domain}"
  header x-geoip-country-code              "{geoip2.country_code}"
# header x-geoip-country-confidence        "{geoip2.country_confidence}"
  header x-geoip-country-eu                "{geoip2.country_eu}"
  header x-geoip-country-geoname-id        "{geoip2.country_geoname_id}"
  header x-geoip-country-name              "{geoip2.country_name}"
  header x-geoip-continent-code            "{geoip2.continent_code}"
  header x-geoip-continent-geoname-id      "{geoip2.continent_geoname_id}"
  header x-geoip-continent-name            "{geoip2.continent_name}"
# header x-geoip-city-confidence           "{geoip2.city_confidence}"
  header x-geoip-city-geoname-id           "{geoip2.city_geoname_id}"
  header x-geoip-city-name                 "{geoip2.city_name}"
  header x-geoip-location-time-zone        "{geoip2.location_time_zone}"
  header x-geoip-autonomous-system-number  "{geoip2.autonomous_system_number}"
  header x-geoip-autonomous-system-organization  "{geoip2.autonomous_system_organization}"
  header x-geoip-isp                       "{geoip2.isp}"
  header x-geoip-mobile-country-code       "{geoip2.mobile_country_code}"
  header x-geoip-mobile-network-code       "{geoip2.mobile_network_code}"
  header x-geoip-organization              "{geoip2.organization}"
  header x-geoip-ip-address                "{geoip2.ip_address}"
{% endif %}
{% endif %}

  @not_whitelisted not {
{% for ip in site.filter_whitelist | default(caddy_sites_defaults.filter_whitelist) %}
    remote_ip {{ ip }}
{% endfor %}
  }

{% if site.rate_limit | default(caddy_sites_defaults.rate_limit) %}
  rate_limit @not_whitelisted {
#   distributed
    zone remote_ip {
      key {remote.ip}
      events {{ site.rate_limit_events | default(caddy_sites_defaults.rate_limit_events) }}
      window {{ site.rate_limit_window | default(caddy_sites_defaults.rate_limit_window) }}
    }
  }
{% endif %}

{% if site.crs | default(caddy_sites_defaults.crs) %}
  coraza_waf @not_whitelisted {
    load_owasp_crs
    directives `
      Include "{{ caddy_config_dir }}/sites/{{ site.id }}/coraza.conf"
      Include "{{ caddy_config_dir }}/sites/{{ site.id }}/crs-setup.conf"
{% for plugin in site.crs_plugins | default(caddy_sites_defaults.crs_plugins) %}
      Include "{{ caddy_config_dir }}/crs-plugins/{{ plugin }}-config.conf"
      Include "{{ caddy_config_dir }}/crs-plugins/{{ plugin }}-before.conf"
{% endfor %}
      Include "{{ caddy_config_dir }}/sites/{{ site.id }}/exclusions-request-before.conf"
      Include "{{ caddy_config_dir }}/coreruleset-{{ site.crs_version | default(caddy_sites_defaults.crs_version) }}/rules/*.conf"
      Include "{{ caddy_config_dir }}/sites/{{ site.id }}/exclusions-response-after.conf"
{% for plugin in site.crs_plugins | default(caddy_sites_defaults.crs_plugins) %}
      Include "{{ caddy_config_dir }}/crs-plugins/{{ plugin }}-after.conf"
{% endfor %}
      SecRuleEngine On
    `
  }
{% endif %}

{% if site.cors | default(caddy_sites_defaults.cors) %}
{% for origin in site.cors_allow_origins | mandatory %}
  import cors {{ origin }} "{{ site.cors_allow_methods | default(caddy_sites_defaults.cors_allow_methods) | join(', ') }}" "{{ site.cors_allow_headers | default(caddy_sites_defaults.cors_allow_headers) | join(', ') }}" "{{ site.cors_allow_credentials | default(caddy_sites_defaults.cors_allow_credentials) | ternary('true', 'false') }}" "{{ site.cors_max_age | default(caddy_sites_defaults.cors_max_age) }}" "{{ site.cors_vary | default(caddy_sites_defaults.cors_vary) | join(', ') }}" "{{ site.cors_expose_headers | default(caddy_sites_defaults.cors_expose_headers) | join(', ') }}"
{% endfor %}
  import cors-deny
{% endif %}

{% if site.bot_barrier | default(caddy_sites_defaults.bot_barrier) %}
  bot_barrier @not_whitelisted {
     secret {{ site.bot_barrier_secret | default(caddy_sites_defaults.bot_barrier_secret) | mandatory }}
     complexity {{ site.bot_barrier_complexity | default(caddy_sites_defaults.bot_barrier_complexity) }}
     valid_for {{ site.bot_barrier_valid_for | default(caddy_sites_defaults.bot_barrier_valid_for) }}
     seed_cookie_name __chall_{{ site.id }}_seed
     solution_cookie_name __chall_{{ site.id }}_solution
     mac_cookie_name __chall_{{ site.id }}_mac
     template {{ caddy_config_dir }}/bot_barrier_template.html
  }
{% endif %}

  header {
    Content-Security-Policy      "{{ caddy_sites_defaults.header_content_security_policy | combine(site.header_content_security_policy | default({})) | dict2str(sep1=' ', sep2='; ', sep3=';') }}"
# FIXME
#   Cross-Origin-Embedder-Policy "{{ site.header_cross_origin_embedder_policy | default(caddy_sites_defaults.header_cross_origin_embedder_policy) }}"
#   Cross-Origin-Opener-Policy   "{{ site.header_cross_origin_opener_policy | default(caddy_sites_defaults.header_cross_origin_opener_policy) }}"
#   Cross-Origin-Resource-Policy "{{ site.header_cross_origin_resource_policy | default(caddy_sites_defaults.header_cross_origin_resource_policy) }}"
    Feature-Policy               "{{ caddy_sites_defaults.header_feature_policy | combine(site.header_feature_policy | default({})) | dict2str(sep1=' ', sep2='; ', sep3=';') }}"
    Permissions-Policy           "{{ caddy_sites_defaults.header_permissions_policy | combine(site.header_permissions_policy | default({})) | dict2str(sep2=', ') }}"
    Referrer-Policy              "{{ site.header_referrer_policy | default(caddy_sites_defaults.header_referrer_policy) }}"
    Strict-Transport-Security    "{{ site.header_strict_transport_security | default(caddy_sites_defaults.header_strict_transport_security) }}"
    X-Content-Type-Options       "{{ site.header_x_content_type_options | default(caddy_sites_defaults.header_x_content_type_options) }}"
    X-Frame-Options              "{{ site.header_x_frame_options | default(caddy_sites_defaults.header_x_frame_options) }}"
    X-Robots-Tag                 "{{ site.header_x_robots_tag | default(caddy_sites_defaults.header_x_robots_tag) }}"
    ?Content-Type                "{{ site.header_default_content_type | default(caddy_sites_defaults.header_default_content_type) }}"
    >Set-Cookie          "(.*)"  "$1; {{ site.header_cookies_attributes | default(caddy_sites_defaults.header_cookies_attributes) }}"
{% for header in site.header_delete | default(caddy_sites_defaults.header_delete) %}
    -{{ header }}
{% endfor %}
{% for header in site.header_add | default(caddy_sites_defaults.header_add) %}
    {{ header.name }}            "{{ header.value }}"
{% endfor %}
  }

  handle_errors 403 {
    header X-Blocked "true"
    respond "Your request was blocked. 🔴"
  }

  log {
    format json
    output file {{ caddy_log_dir }}/site_{{ site.id }}.log
  }
}

{% endfor %}
