# FrankenPHP Caddyfile for the api container.
# Serves Slim from public/ on :8081.
{
    frankenphp
    order php_server before file_server
    auto_https off
    admin off
}

:8081 {
    root * /app/public
    encode zstd gzip

    # Internal jobs API: only callable from loopback / RFC1918.
    # The PHP layer also enforces this (InternalNetworkMiddleware) — Caddy
    # is the first line of defence for production deployments where the
    # api is reachable from the public internet.
    @internal {
        path /internal/*
        remote_ip 127.0.0.1/32 ::1/128 172.16.0.0/12 10.0.0.0/8 192.168.0.0/16
    }
    handle @internal {
        php_server
    }

    @external_internal_blocked {
        path /internal/*
        not remote_ip 127.0.0.1/32 ::1/128 172.16.0.0/12 10.0.0.0/8 192.168.0.0/16
    }
    respond @external_internal_blocked 404

    php_server
}
