From 47b5b7e8fdfb36fd68e6e84c8f39219d7177441d Mon Sep 17 00:00:00 2001
From: Andreas Knuth <andreas.knuth@gmail.com>
Date: Thu, 11 Sep 2025 12:24:15 -0500
Subject: [PATCH] iitwelders 2. try

---
 caddy/Caddyfile | 29 +++++++++++------------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index ce41dbb..28bc0ba 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -102,35 +102,28 @@ gregknoppcpa.bayarea-cc.com {
     encode gzip
 }
 iitwelders.bayarea-cc.com {
-  # Optional: Basis-Hardening
   encode zstd gzip
-  header {
-    # Browser-ähnlicher Forward (optional)
-    -Server
-    X-Frame-Options "SAMEORIGIN"
-  }
 
-  # Falls die Zielseite nur www. spricht, nimm https://www.iitwelders.com
-  reverse_proxy https://www.iitwelders.com {
-    # Very important: Origin-Host durchreichen
-    header_up Host www.iitwelders.com
+  reverse_proxy https://iitwelders.com {
+    # Wichtig: als Host explizit die Apex-Domain setzen,
+    # damit der Upstream NICHT auf iitwelders.com umleitet.
+    header_up Host iitwelders.com
+
+    # Übliche Forwarded-Header
     header_up X-Forwarded-Host {host}
     header_up X-Forwarded-Proto {scheme}
     header_up X-Forwarded-For {remote_host}
 
-    # Manchmal blocken Upstreams komische Encodings von Proxys
-    header_up Accept-Encoding identity
-
-    # SNI/ServerName für TLS Richtung Upstream
+    # TLS SNI passend zum Upstream-Host
     transport http {
-      tls_server_name www.iitwelders.com
+      tls_server_name iitwelders.com
     }
 
-    # Optional: ein "normales" User-Agent setzen, falls der Upstream picky ist
-    header_up User-Agent {>User-Agent}
+    # Falls der Upstream Probleme mit komprimierten Requests hat:
+    header_up Accept-Encoding identity
   }
 
-  # Optional: Healthcheck-Route fürs Monitoring
+  # Optional: einfache Health-Route
   @health path /_health
   respond @health "ok" 200
 }