# Example Apache VirtualHost
# for serving tkr as a subdirectory path with SSL
# e.g. https://www.my-domain.com/tkr
#
# Use SSL in production.
# This is a minimal SSL confiuration
# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
<VirtualHost *:80>
    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    # CONFIG: Replace  with your subdomain, e.g. tkr.my-domain.com
    DocumentRoot /var/www/tkr
    # Redirect HTTP to HTTPS
    Redirect permanent / https://my-domain.com/
</VirtualHost>

<VirtualHost *:443>
    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    # CONFIG: Replace  with your subdomain, e.g. tkr.my-domain.com
    DocumentRoot /var/www/tkr/

    # SSL Configuration
    SSLEngine on

    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    SSLCertificateFile /etc/letsencrypt/live/my-domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/my-domain.com/privkey.pem

    # Security headers
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    # tkr Application at /tkr
    # NOTE: If you change the directory name,
    # remember to update all instances of /var/www/tkr in this file to match
    Alias /tkr /var/www/tkr/public

    # Block access to sensitive TKR directories
    <Directory "/var/www/tkr/storage">
        Require all denied
    </Directory>
    <Directory "/var/www/tkr/src">
        Require all denied
    </Directory>
    <Directory "/var/www/tkr/templates">
        Require all denied
    </Directory>
    <Directory "/var/www/tkr/config">
        Require all denied
    </Directory>

    # 404 all non-css static files in /tkr (images, js, fonts, etc.)
    # so those requests don't hit the PHP app
    # (this is to reduce load on the PHP app from bots and scanners)
    <LocationMatch "^/tkr/.*\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|zip|mp3|mp4|avi|mov)$">
        <RequireAll>
            Require all denied
        </RequireAll>
    </LocationMatch>

    # tkr application directory
    <Directory "/var/www/tkr/public">
        Options -Indexes
        AllowOverride None
        Require all granted

        RewriteEngine On

        # Block direct PHP access
        RewriteCond %{THE_REQUEST} \s/[^?\s]*\.php[\s?] [NC]
        RewriteRule ^.*$ - [R=404,L]

        # Serve the one static file that exists: css/tkr.css
        # (Pass requests to css/custom/ through to the PHP app)
        RewriteCond %{REQUEST_URI} !^/tkr/css/custom/
        RewriteRule ^css/tkr\.css$ css/tkr.css [L]

        # Send everything else to the front controller
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^(.*)$ index.php [L]
    </Directory>

    # Error and access logs
    ErrorLog ${APACHE_LOG_DIR}/my-domain_error.log
    CustomLog ${APACHE_LOG_DIR}/my-domain_access.log combined
</VirtualHost>