(headers_reverseproxy_nextcloud) {
  header {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
  }
}

(headers_reverseproxy) {
  header {   
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
  }    
}
(logging) {
  log {
    output file caddy_access_{args.0}.log {
    roll_size 32mb
    roll_keep 5
    roll_keep_for 720h
    }
  }
}

https://origine.nsupdate.info {
  import headers_reverseproxy
  reverse_proxy 192.168.1.2:8123
  import logging origine.nsupdate.info
}

adguard.nsupdate.info {
  reverse_proxy 192.168.1.3:85
  import logging adguard.nsupdate.info
}

adminer.nsupdate.info {
  reverse_proxy 192.168.1.3:82
  import logging adminer.nsupdate.info
}

next.nsupdate.info {
  import headers_reverseproxy_nextcloud
  rewrite /.well-known/carddav /remote.php/dav
  rewrite /.well-known/caldav /remote.php/dav
  reverse_proxy 192.168.1.3:83
  import logging next.nsupdate.info  
}

tty.nsupdate.info {
    rewrite / /wetty{uri}
    reverse_proxy 192.168.1.3:3333
#    import logging tty.nsupdate.info
}

bloggy.nsupdate.info {
    reverse_proxy 192.168.1.3:84
    import logging bloggy.nsupdate.info
}


ntfy.nsupdate.info {
    reverse_proxy 192.168.1.3:87
    import logging ntfy.nsupdate.info
}

motion.nsupdate.info {
    reverse_proxy 192.168.1.3:8081
    import logging motion.nsupdate.info
}


tag.nsupdate.info {
    reverse_proxy 192.168.1.3:88
    import logging tag.nsupdate.info
}

#netdisco.nsupdate.info {
#    reverse_proxy 192.168.1.3:5000
#    import logging netdisco.nsupdate.info
#}




vault.nsupdate.info {


  # Uncomment this if you want to get a cert via ACME (Let's Encrypt or ZeroSSL).
  # tls {$EMAIL}

  # Or uncomment this if you're providing your own cert. You would also use this option
  # if you're running behind Cloudflare.
  # tls {$SSL_CERT_PATH} {$SSL_KEY_PATH}

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # Uncomment to improve security (WARNING: only use if you understand the implications!)
  # header {
  #      # Enable HTTP Strict Transport Security (HSTS)
  #      Strict-Transport-Security "max-age=31536000;"
  #      # Enable cross-site filter (XSS) and tell browser to block detected attacks
  #      X-XSS-Protection "1; mode=block"
  #      # Disallow the site to be rendered within a frame (clickjacking protection)
  #      X-Frame-Options "DENY"
  #      # Prevent search engines from indexing (optional)
  #      X-Robots-Tag "none"
  #      # Server name removing
  #      -Server
  # }

  # Uncomment to allow access to the admin interface only from local networks
  # @insecureadmin {
  #   not remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
  #   path /admin*
  # }
  # redir @insecureadmin /

  # Notifications redirected to the websockets server
  reverse_proxy /notifications/hub 192.168.1.3:3012

  # Proxy everything else to Rocket
  reverse_proxy 192.168.1.3:86 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }
}


boxnet.nsupdate.info {
    reverse_proxy 192.168.1.3:90
    import logging boxnet.nsupdate.info
}