tzzrdeck.me {
    # Gate endpoints - siempre accesibles
    handle /gate* {
        reverse_proxy localhost:8099
    }
    
    # Contenido protegido - verificar sesión
    handle {
        forward_auth localhost:8099 {
            uri /gate/check
            header_up CF-Connecting-IP "{http.request.header.CF-Connecting-IP}"
            header_up X-Gate-Key "{http.request.uri.query.key}"
            header_up X-Forwarded-Host "{http.request.host}"
            @unauthorized status 401
            handle_response @unauthorized {
                redir https://gate.tzzrdeck.me/gate?redirect=https://tzzrdeck.me{uri}
            }
        }
        
        root * /opt/hst/web
        file_server
        try_files {path} {path}/ /index.html
    }
}
