Caddyfile

{
	servers {
        # We trust (configurably) X-Forwarded-For headers from traffic that's proxied through
        # localhost, e.g. through SCW's Envoy container proxy. Without this all traffic appears
        # to come directly from localhost, ignoring the data Envoy passes through.
		trusted_proxies static {$TRUSTED_PROXIES:127.0.0.1}
	}
}


# We use the domain name (via Host header) to decide which upstream service we
# should forward the traffic to:
{$EVENTS_DOMAIN:events.httptoolkit.tech}:{$PORT:8080} {
    reverse_proxy https://eu.posthog.com {
        # We need to use the correct hostname for upstream requests:
        header_up Host {upstream_hostport}

        # Anonymize ip addresses when forwarding:
        header_up X-Forwarded-For "\.\d{0,3}(,\s*|$)" ".0$1"
    }
}

{$ERRORS_DOMAIN:errors.httptoolkit.tech}:{$PORT:8080} {
    # This redirects Sentry requests from our own domain to their per-project subdomains:
    # from: https://errors.httptoolkit.tech/o123/api/456/...
    # to: https://o123.ingest.us.sentry.io/api/456/...
    @has_id_path {
        path_regexp id_path ^/(o\d+)/(.*)$
    }

    handle @has_id_path {
        reverse_proxy {
            to {re.id_path.1}.ingest.us.sentry.io:443
            rewrite /{re.id_path.2}
            transport http {
                # We have to TLS explicitly because you can't use https:// with a placeholder
                tls
            }

            # Set appropriate headers
            header_up Host {upstream_hostport}

            # Anonymize ip addresses when forwarding:
            header_up X-Forwarded-For "\.\d{0,3}(,\s*|$)" ".0$1"
        }
    }

    respond 400 {
        body "Unrecognized URL"
        close
    }
}

# For any other unrecognized services, we reject the request outright:
:80, :443, :{$PORT:8080} {
    log
    respond 400 {
        body "Unrecognized host name"
        close
    }
}