Restrict museum routes to primary host

start.sh

@@ -1219,6 +1219,8 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
         respond 204
     }
 
+    @api_host host ${PHOTOS_HOST}
+    handle @api_host {
         handle_path /api/* {
         @api_cors_path header Origin *
         header @api_cors_path {
@@ -1237,6 +1239,7 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
             header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
         }
         }
+    }
 
     handle /health {
         rewrite * /ping
@@ -1272,6 +1275,7 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
     }
 
     @museum_api_get_path {
+        host ${PHOTOS_HOST}
         method GET HEAD
         path_regexp museum_api_get_path ^/(admin|authenticator|billing|cast|collections|custom-domain|diff|discount|email-hash|emails-from-hashes|emergency-contacts|family|file|file-link|files|fire|info|job|mail|metrics|multipart-upload-urls|offers|options|pass-info|passkeys|public-collection|push|queue|remote-store|storage-bonus|thumbnail|trash|unknown-api|upload-urls|user|user-entity|verify-password)(/|$)
     }
@@ -1285,6 +1289,7 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
     }
 
     @write_methods_path {
+        host ${PHOTOS_HOST}
         not method GET
         not method HEAD
     }