# Caddyfile for fjmcp-broker.
#
# Place at /etc/caddy/Caddyfile (or wherever your Caddy reads from) and
# replace `mcp.example.com` with your real hostname. Caddy fetches an
# automatic Let's Encrypt cert on first start.
#
# This config front-ends the broker container that listens on
# 127.0.0.1:8080 (matching deploy/podman/fjmcp-broker.container).

mcp.example.com {
	encode zstd gzip

	# Reverse-proxy everything to the broker. The broker mounts every
	# endpoint at the root: /healthz, /oauth/*, /.well-known/*, /mcp.
	#
	# Caddy already forwards X-Forwarded-For / X-Forwarded-Proto / Host
	# by default, so they're not listed below. The broker derives its
	# own identity from FJMCP_BROKER_PUBLIC_URL anyway and ignores
	# these headers (see TestDiscovery_IssuerIgnoresHostHeader).
	reverse_proxy 127.0.0.1:8080 {
		# SSE responses on /mcp need flushed-as-we-go forwarding;
		# default buffering would defeat the streaming model. -1 means
		# "flush every write".
		flush_interval -1
	}

	# Optional: drop a structured access log under a separate file so
	# broker stderr stays clean for application events.
	log {
		output file /var/log/caddy/fjmcp-broker.log {
			roll_size 50mb
			roll_keep 5
		}
		format json
	}
}
