{
    admin off
    auto_https off
    log {
        format json
    }
}

:443 {
    tls internal

    handle /auth/* {
        reverse_proxy authentik-server:9000 {
            header_up X-Forwarded-Proto https
            header_up X-Forwarded-For {remote_host}
        }
    }

    handle /outpost.goauthentik.io/* {
        reverse_proxy authentik-server:9000 {
            header_up X-Forwarded-Proto https
        }
    }

    handle {
        reverse_proxy zroc-ui:3001 {
            header_up X-Forwarded-Proto https
            header_up X-Forwarded-For {remote_host}
            header_up X-Real-IP {remote_host}
            health_uri /api/health
            health_interval 15s
        }
    }

    header {
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        Referrer-Policy "strict-origin-when-cross-origin"
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        -Server
    }
}

:80 {
    redir https://{host}{uri} permanent
}
