# Global options { auto_https disable_redirects email k.radikal@gmail.com } # Consolidated wildcard site block *.klhoud.com, http://*.klhoud.com { # Automatic HTTPS via DNS challenge for all subdomains tls { dns cloudflare {$CLOUDFLARE_API_TOKEN} } # Proxmox @proxmox host proxmox.klhoud.com handle @proxmox { reverse_proxy https://192.168.0.112:8006 { # Required for connecting to Proxmox's self-signed/untrusted certificate transport http { tls_insecure_skip_verify versions 1.1 } } } # AdGuard Home @adguard host adguard.klhoud.com handle @adguard { reverse_proxy 192.168.0.170:80 } # Dockge @dockge host dockge.klhoud.com handle @dockge { reverse_proxy 192.168.0.12:5001 } # Nextcloud @cloud host cloud.klhoud.com handle @cloud { reverse_proxy 192.168.0.12:8080 # Nextcloud-specific headers header Strict-Transport-Security "max-age=31536000;" # Handle large file uploads request_body { max_size 10GB } } # Coolify (control plane runs on LXC 103). Upstream HTTPS to 443 because # coolify-proxy's HTTP entry forces a redirect-to-https which would loop # back through us. HTTPS upstream hits the no-redirect routes; cert is # self-signed since coolify-proxy's ACME for coolify.klhoud.com fails # (DNS points at us, not it), so we skip verify. # coolify-proxy (Traefik) on LXC 103 listens on :80. We added a custom # higher-priority router in /data/coolify/proxy/dynamic/coolify-noredirect.yaml # there to bypass Coolify's auto-generated http->https redirect (which would # loop us). WebSocket routes (/app, /terminal/ws) work natively on :80. @coolify host coolify.klhoud.com handle @coolify { reverse_proxy 192.168.0.47:80 } # IMPORTANT: Fallback Handler # This prevents non-matching requests from falling through and failing. handle { respond "Not Found" 404 } }