{
	# Caddy sits behind HAProxy which passes raw TLS through on :8443.
	# ACME HTTP-01 challenges arrive on :80 via HAProxy's acl passthrough.
	http_port 80
	https_port 8443

	# HAProxy forwards connections to :8443 with a PROXY protocol v2
	# header (see haproxy.cfg `send-proxy-v2`).  The proxy_protocol
	# listener wrapper strips the header and exposes the real client IP
	# to Caddy's access log.  The `tls` wrapper must follow so that TLS
	# is terminated on the unwrapped connection.
	#
	# `allow` lists the networks permitted to send PROXY headers.  These
	# ranges cover docker compose's default bridge networks; tighten
	# them if you pin a specific subnet in docker-compose.yml.
	servers :8443 {
		listener_wrappers {
			proxy_protocol {
				timeout 5s
				allow 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
			}
			tls
		}
	}
}

{$DOMAIN} {
	root * /srv
	file_server
}
