# Caddy Layer 4 TCP proxy for SSL termination
# Usage: caddy run --config /path/to/Caddyfile-stream
#
# NOTE: Requires caddy-l4 plugin for TCP/TLS proxying:
#   xcaddy build --with github.com/mholt/caddy-l4
#
# This is Layer 4 (TCP) proxying - no HTTP inspection, just SSL termination.
#
# Backend: plackup -s Feersum -p 5000 --keepalive app.psgi

{
    # Layer 4 app configuration
    layer4 {
        #=====================================================================
        # SSL termination -> TCP backend
        #=====================================================================
        :443 {
            # Match TLS connections
            @tls tls

            route @tls {
                # Terminate TLS
                tls {
                    connection_policy {
                        # Use default/auto certificates or specify:
                        # cert_file /etc/ssl/certs/server.crt
                        # key_file /etc/ssl/private/server.key
                    }
                }

                # Proxy to Feersum
                proxy {
                    upstream 127.0.0.1:5000
                    # Or multiple backends:
                    # upstream 127.0.0.1:5000
                    # upstream 127.0.0.1:5001

                    # Health checks
                    health_interval 10s
                    health_timeout 5s
                }
            }
        }

        #=====================================================================
        # SSL termination -> Unix socket backend
        #=====================================================================
        :8443 {
            @tls tls

            route @tls {
                tls
                proxy {
                    upstream unix//tmp/feersum.sock
                }
            }
        }

        #=====================================================================
        # Plain TCP passthrough (no SSL, for testing)
        #=====================================================================
        :8080 {
            route {
                proxy {
                    upstream 127.0.0.1:5000
                }
            }
        }
    }
}

# =============================================================================
# ALTERNATIVE: Simple TLS termination using standard Caddy reverse_proxy
# =============================================================================
# If you don't need pure TCP streaming, standard Caddy works fine:
#
# :443 {
#     reverse_proxy 127.0.0.1:5000 {
#         transport http {
#             keepalive 60s
#             keepalive_idle_conns 64
#         }
#     }
#     tls {
#         protocols tls1.2 tls1.3
#     }
# }
