From 042b4d9f8a83f6068c0d6a8e6759a1731b0287d9 Mon Sep 17 00:00:00 2001
From: rainxchzed <undefineduser087@gmail.com>
Date: Mon, 25 May 2026 07:04:22 +0500
Subject: [PATCH 1/2] caddy: add api.komistore.app vhost reverse-proxying to
 paid-app:8080

Routes the new komistore.app hostname at the paid-backend container. Reuses the same Caddy instance as the free-tier API; service names paid-app:8080 + app:8080 stay distinct on the Docker network.

DNS prereq: api.komistore.app must resolve to the VPS IP for HTTP-01 challenge to succeed. Start with a DNS-only (grey-cloud) A record; switch to proxied + Full(strict) later once traffic justifies fronting.

CSP is looser than the free-tier API block because the paid backend serves /legal HTML pages alongside JSON. frame-ancestors stays locked to 'none' to keep clickjack closed.
---
 Caddyfile.prod | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/Caddyfile.prod b/Caddyfile.prod
index 2b90894..7f5d875 100644
--- a/Caddyfile.prod
+++ b/Caddyfile.prod
@@ -78,3 +78,44 @@ api-direct.github-store.org {
         output stdout
     }
 }
+
+# Komi Store paid backend. Hosted on the same VPS, separate Docker service
+# (paid-app), separate Postgres database (komistore_paid). Will eventually
+# absorb the github-store.org hostnames above once the free-tier migration
+# lands; for now the two run side-by-side under distinct vhosts so DNS,
+# Stripe webhook URLs, and Cloudflare KV bindings stay decoupled.
+#
+# DNS prereq: api.komistore.app must resolve to this VPS for Caddy's
+# HTTP-01 challenge to issue a Let's Encrypt cert. Either:
+#   (a) DNS-only (grey-cloud) A record -> VPS IP, OR
+#   (b) Cloudflare proxied + SSL mode "Full (strict)" + Cloudflare origin
+#       cert OR DNS-01 challenge configured in Caddy.
+# Start with (a) until traffic justifies fronting.
+api.komistore.app {
+
+    # Body cap. Stripe webhooks can be ~10 KB; checkout payloads are tiny.
+    # 1 MB matches the free-tier ceiling -- bumps need a written reason.
+    request_body {
+        max_size 1MB
+    }
+
+    reverse_proxy paid-app:8080
+
+    header {
+        -Server
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+        # Looser than the API-only CSP above because the paid backend
+        # serves the /legal HTML pages (terms, privacy) as well as JSON.
+        # default-src 'none' would break inline <style>/<script> the legal
+        # pages use. Keep frame-ancestors locked down to prevent clickjack.
+        Content-Security-Policy "default-src 'self'; frame-ancestors 'none'"
+        Referrer-Policy "no-referrer"
+        Permissions-Policy "interest-cohort=()"
+    }
+
+    log {
+        output stdout
+    }
+}

From 45ad970ed15e2963e226aea314817ffd434e1a73 Mon Sep 17 00:00:00 2001
From: rainxchzed <undefineduser087@gmail.com>
Date: Mon, 25 May 2026 14:12:02 +0500
Subject: [PATCH 2/2] =?UTF-8?q?caddy:=20lock=20down=20api.komistore.app=20?=
 =?UTF-8?q?vhost=20=E2=80=94=20XFF=20override,=20CF-Connecting-IP=20strip,?=
 =?UTF-8?q?=20accurate=20CSP=20comment?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Direct-to-VPS path (grey-cloud DNS) was missing the X-Forwarded-For
override and CF-Connecting-IP strip that api-direct.github-store.org
already has — a client could forge XFF and rotate past paid-app's
per-IP rate limiter, or claim any CF-Connecting-IP source. Both
defences now match the established pattern.

Also corrects the CSP comment: default-src 'self' does not permit
inline <style>/<script> (those require 'unsafe-inline' in
style-src/script-src or a nonce). The /legal templates are
intentionally kept inline-asset-free so the directive holds.
---
 Caddyfile.prod | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/Caddyfile.prod b/Caddyfile.prod
index 7f5d875..7dde5b4 100644
--- a/Caddyfile.prod
+++ b/Caddyfile.prod
@@ -92,6 +92,17 @@ api-direct.github-store.org {
 #       cert OR DNS-01 challenge configured in Caddy.
 # Start with (a) until traffic justifies fronting.
 api.komistore.app {
+    # Direct-to-VPS path (grey-cloud DNS). Overwrite any client-supplied
+    # X-Forwarded-For with the real TCP source — without this a client who
+    # forges X-Forwarded-For can rotate past paid-app's rate limiter
+    # (which keys on X-Forwarded-For's first IP). Same defence as
+    # api-direct.github-store.org above.
+    request_header X-Forwarded-For {remote_host}
+
+    # Strip any client-supplied CF-Connecting-IP. No Cloudflare hop on this
+    # vhost yet (grey-cloud); accepting the header would let any client
+    # claim any source IP. Re-evaluate if/when this vhost goes orange-cloud.
+    request_header -CF-Connecting-IP
 
     # Body cap. Stripe webhooks can be ~10 KB; checkout payloads are tiny.
     # 1 MB matches the free-tier ceiling -- bumps need a written reason.
@@ -107,9 +118,13 @@ api.komistore.app {
         X-Frame-Options DENY
         Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
         # Looser than the API-only CSP above because the paid backend
-        # serves the /legal HTML pages (terms, privacy) as well as JSON.
-        # default-src 'none' would break inline <style>/<script> the legal
-        # pages use. Keep frame-ancestors locked down to prevent clickjack.
+        # serves /legal HTML pages (terms, privacy) alongside JSON.
+        # default-src 'none' would block same-origin assets the legal
+        # pages load (linked stylesheets, images). Note that 'self' does
+        # NOT permit inline <style>/<script> blocks — those require an
+        # explicit 'unsafe-inline' in style-src/script-src or a nonce.
+        # The /legal templates are kept inline-asset-free for that reason.
+        # frame-ancestors stays locked to prevent clickjack.
         Content-Security-Policy "default-src 'self'; frame-ancestors 'none'"
         Referrer-Policy "no-referrer"
         Permissions-Policy "interest-cohort=()"