# Backends
backend default
  tcp-request content reject

backend letsencrypt
  server certbot 127.0.0.1:8899

backend laminar
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "cross-origin"
  http-response set-header Cache-Control max-age=31536000
  server laminar laminar.incus:8080 check

backend forgejo
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server forgejo forgejo.incus:3000 check

backend mastodon
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server mastodon mastodon2.incus:80 send-proxy check

backend linkding
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server linkding linkding.incus:9090 check

backend archive
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  http-response set-header Cache-Control max-age=31536000
  server archive archive.incus:80 check

backend adguard
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server adguard adguard.incus:443 check ssl verify none

backend vaultwarden
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server vaultwarden vaultwarden.incus:80 check

backend kanboard
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server kanboard kanboard.incus:80 check

backend photoprism
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server photoprism photoprism.incus:2342 check

backend miniflux
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server miniflux miniflux.incus:8080 check

backend www
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  http-response set-header Cache-Control max-age=31536000
  server www www.incus:80 check

backend navidrome
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server navidrome navidrome.incus:4533 check

backend mailcow
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server navidrome mailcow.incus:80 check