From 8b50ad82c323bf53d1de94674666c7a4d67373f3 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Wed, 28 Jan 2026 13:19:50 +0100
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20feat(ansible/caddy):=20Am=C3=A9lior?=
 =?UTF-8?q?e=20la=20configuration=20Caddy=20avec=20gestion=20des=20headers?=
 =?UTF-8?q?,=20redirections=20et=20PHP-FPM.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ansible/templates/caddy.j2 | 66 +++++++++++++++++++++++---------------
 1 file changed, 40 insertions(+), 26 deletions(-)

diff --git a/ansible/templates/caddy.j2 b/ansible/templates/caddy.j2
index 81090fc..de59716 100644
--- a/ansible/templates/caddy.j2
+++ b/ansible/templates/caddy.j2
@@ -2,38 +2,52 @@ intranet.ludikevent.fr, signature.ludikevent.fr, reservation.ludikevent.fr {
     tls {
         dns cloudflare KL6pZ-Z_12_zbnM2TtFDIsKM8A-HLPhU5GJJbKTW
     }
+
     root * {{ path }}/public
     file_server
 
-    # --- LOGIQUE RÉSERVATION ---
-    @is_reservation_host host reservation.ludikevent.fr
-
-    handle @is_reservation_host {
-        # Si on arrive sur la racine /
-        # On réécrit en interne vers /reservation
-        rewrite / /reservation
-
-        # On passe à PHP en s'assurant que le script index.php est utilisé
-        php_fastcgi unix//run/php/php8.4-fpm.sock {
-            # On force Symfony à utiliser le nouveau chemin réécrit
-            env REQUEST_URI {uri}
-        }
+    request_body {
+        max_size 100MB
     }
 
-    # --- LE RESTE DES DOMAINES (Intranet / Signature) ---
-    handle {
-        header {
-            X-Content-Type-Options "nosniff"
-            X-Frame-Options "DENY"
-            Referrer-Policy "strict-origin-when-cross-origin"
-            CF-Connecting-IP {header.CF-Connecting-IP}
-            X-Real-IP {remote_host}
-        }
+    # --- NO-INDEX MATCHER ---
+    @noindex_hosts host intranet.ludikevent.fr signature.ludikevent.fr
+    header @noindex_hosts X-Robots-Tag "noindex, nofollow"
 
-        handle_path /assets/* {
-            rewrite * /build{path}
-        }
+    @index_host host reservation.ludikevent.fr
+    header @index_host -X-Robots-Tag
 
-        php_fastcgi unix//run/php/php8.4-fpm.sock
+    handle_path /utm_reserve.js {
+        redir https://tools-security.esy-web.dev/script.js
+    }
+    handle_path /ts.js {
+        redir https://widget.trustpilot.com/bootstrap/v5/tp.widget.bootstrap.min.js
+    }
+    # --- BLOC HEADER AVEC CSP ---
+    header {
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        Referrer-Policy "strict-origin-when-cross-origin"
+
+        # Injection des headers Cloudflare pour PHP
+        # Cela permet à PHP de les lire via $_SERVER['HTTP_CF_CONNECTING_IP'] etc.
+        CF-Connecting-IP {header.CF-Connecting-IP}
+        CF-IPCountry {header.CF-IPCountry}
+        CF-RegionCode {header.CF-RegionCode}
+        CF-IPCity {header.CF-IPCity}
+        X-Real-IP {remote_host}
+    }
+    handle_path /assets/* {
+        rewrite * /build{path}
+    }
+    # --- PHP FASTCGI ---
+    # Ici, Caddy transmet automatiquement tous les headers définis ci-dessus au socket PHP
+    php_fastcgi unix//run/php/php8.4-fpm.sock {
+        read_timeout 300s
+        write_timeout 300s
+        dial_timeout 100s
+
+        # Optionnel : Forcer explicitement certains paramètres FastCGI si nécessaire
+        env REMOTE_ADDR {header.CF-Connecting-IP}
     }
 }