# Replace your-domain.com with your actual domain
{$DOMAIN} {
    # Log all requests
    log {
        output stdout
        format console
        level INFO
    }

    # Proxy analytics requests with any prefix (e.g. /.ghost/analytics/ or /blog/.ghost/analytics/)
    @analytics_paths path_regexp analytics_match ^(.*)/\.ghost/analytics(.*)$
    handle @analytics_paths {
        rewrite * {re.analytics_match.2}
        reverse_proxy traffic-analytics:3000
    }
    
    # Proxy activitypub requests with any prefix (e.g. /.ghost/activitypub/ or /blog/.ghost/activitypub/)
    @activitypub_paths path_regexp activitypub_match ^(.*)/\.ghost/activitypub(.*)$
    handle @activitypub_paths {
        reverse_proxy activitypub:8080
    }

    # Default proxy to Ghost
    handle {
        reverse_proxy ghost:2368
    }

    # Optional: Enable gzip compression
    encode gzip

    # Optional: Add security headers
    header {
        # Enable HSTS
        Strict-Transport-Security max-age=31536000;
        # Prevent embedding in frames
        X-Frame-Options DENY
        # Enable XSS protection
        X-XSS-Protection "1; mode=block"
        # Prevent MIME sniffing
        X-Content-Type-Options nosniff
        # Referrer policy
        Referrer-Policy strict-origin-when-cross-origin
    }
}

# Redirect www to non-www (optional)
www.{$DOMAIN} {
    # Log all requests
    log {
        output stdout
        format console
        level INFO
    }
    redir https://{$DOMAIN}{uri}
}
