:8088 {
  encode zstd gzip

  # Security headers
  header {
    # HSTS
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    # Prevent clickjacking
    X-Frame-Options "SAMEORIGIN"
    # XSS protection
    X-Content-Type-Options "nosniff"
    # Referrer policy
    Referrer-Policy "strict-origin-when-cross-origin"
    # Remove server info
    -Server
  }

  @api path /api/*
  handle @api {
    handle_path /api/* {
      reverse_proxy api:8080 {
        header_up X-Forwarded-For {remote}
      }
    }
  }

  @media path /media/*
  handle @media {
    handle_path /media/* {
      reverse_proxy media:8080 {
        header_up X-Forwarded-For {remote}
      }
    }
  }

  @s3 path /s3/*
  handle @s3 {
    handle_path /s3/* {
      reverse_proxy minio:9000 {
        header_up X-Forwarded-For {remote}
      }
    }
  }

  @admin path /admin /admin/*
  handle @admin {
    uri strip_prefix /admin
    reverse_proxy admin:8080 {
      header_up X-Forwarded-For {remote}
    }
  }

  @marketing path /marketing /marketing/*
  handle @marketing {
    uri strip_prefix /marketing
    reverse_proxy marketing:8080 {
      header_up X-Forwarded-For {remote}
    }
  }

  @gateway path /gateway /gateway/*
  handle @gateway {
    uri strip_prefix /gateway
    reverse_proxy gateway:8080 {
      header_up X-Forwarded-For {remote}
    }
  }

  @livekit path /livekit /livekit/*
  handle @livekit {
    handle_path /livekit/* {
      reverse_proxy livekit:7880 {
        header_up X-Forwarded-For {remote}
      }
    }
  }

  @metrics path /metrics /metrics/*
  handle @metrics {
    uri strip_prefix /metrics
    reverse_proxy metrics:8080 {
      header_up X-Forwarded-For {remote}
    }
  }

  handle {
    root * /app/dist
    try_files {path} /index.html
    file_server
  }
}