{
	# we’re behind cloudflare tunnel; terminate tls there
	auto_https off
}

:8550 {
	# route by host header to each backend

	@paste host {env.PASTE_DOMAIN}
	handle @paste {
		reverse_proxy privatebin:8080
	}

	@files host {env.FILES_DOMAIN}
	handle @files {
		reverse_proxy lufi:8081
	}

	@short host {env.SHORT_DOMAIN}
	handle @short {
		reverse_proxy shlink:8080
	}

	# adapter endpoint on the short domain
	@shorten {
		host {env.SHORT_DOMAIN}
		path /shorten
	}
	handle @shorten {
		header {
			Access-Control-Allow-Origin https://{env.PASTE_DOMAIN}
			Access-Control-Allow-Methods GET, OPTIONS
			Access-Control-Allow-Headers *
			Cache-Control no-store
		}
		reverse_proxy shlink-adapter:3000
	}

	# preflight for /shorten
	@shortenPre {
		host {env.SHORT_DOMAIN}
		method OPTIONS
		path /shorten
	}
	respond @shortenPre 204

	respond "unauthorized domain" 404
}

