rick-infra/roles/metrics/templates/grafana.caddy.j2

# Grafana Metrics Dashboard
{{ grafana_domain }} {
    reverse_proxy http://{{ grafana_listen_address }}:{{ grafana_listen_port }} {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-Proto https
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Host {host}
    }

    # Security headers
    header {
        X-Frame-Options SAMEORIGIN
        X-Content-Type-Options nosniff
        X-XSS-Protection "1; mode=block"
        Referrer-Policy strict-origin-when-cross-origin
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    }

    # Logging
    log {
        output file {{ caddy_log_dir }}/grafana.log
        level INFO
        format json
    }
}