# Replace your-domain.com with your actual domain
{$DOMAIN} {
    # Log all requests
    log {
        output stdout
        format console
        level INFO
    }

    # Proxy analytics requests with any prefix (e.g. /.ghost/analytics/ or /blog/.ghost/analytics/)
    @analytics_paths path_regexp analytics_match ^(.*)/\.ghost/analytics(.*)$
    handle @analytics_paths {
        rewrite * {re.analytics_match.2}
        reverse_proxy traffic-analytics:3000
    }

    # ActivityPub
    # Proxy activitypub requests /.ghost/activitypub/
    handle /.ghost/activitypub/* {
        reverse_proxy https://ap.ghost.org
    }

    handle /.well-known/webfinger {
        reverse_proxy https://ap.ghost.org
    }

    handle /.well-known/nodeinfo {
        reverse_proxy https://ap.ghost.org
    }

    # Default proxy everything else to Ghost
    handle {
        reverse_proxy ghost:2368
    }

    # Optional: Enable gzip compression
    encode gzip

    # Optional: Add security headers
    header {
        # Enable HSTS
        Strict-Transport-Security max-age=31536000;
        # Prevent embedding in frames
        X-Frame-Options DENY
        # Enable XSS protection
        X-XSS-Protection "1; mode=block"
        # Prevent MIME sniffing
        X-Content-Type-Options nosniff
        # Referrer policy
        Referrer-Policy strict-origin-when-cross-origin
    }
}

# Redirect www to non-www (optional)
www.{$DOMAIN} {
    # Log all requests
    log {
        output stdout
        format console
        level INFO
    }
    redir https://{$DOMAIN}{uri}
}
