# Example Apache VirtualHost
# for serving tkr as a subdomain root with SSL
# e.g. https://tkr.my-domain.com/
#
# Use SSL in production.
# This is a minimal SSL confiuration
# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
<VirtualHost *:80>
    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    DocumentRoot /var/www/tkr/public
    # Redirect HTTP to HTTPS
    Redirect permanent / https://tkr.my-domain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName localhost
    DocumentRoot /var/www/tkr/public

    # SSL Configuration
    SSLEngine on

    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    SSLCertificateFile /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem

    # Security headers
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    # Block access to sensitive directories
    <Directory "/var/www/tkr/storage">
        Require all denied
    </Directory>
    <Directory "/var/www/tkr/src">
        Require all denied
    </Directory>
    <Directory "/var/www/tkr/templates">
        Require all denied
    </Directory>
    <Directory "/var/www/tkr/config">
        Require all denied
    </Directory>

    # Block access to hidden files
    <DirectoryMatch "^\.|/\.">
        Require all denied
    </DirectoryMatch>

    # Cache CSS files
    <LocationMatch "\.css$">
        Header set Cache-Control "public, max-age=3600"
    </LocationMatch>

    # Serve static CSS file
    Alias /css/tkr.css /var/www/tkr/public/css/tkr.css

    # 404 all non-css static files (images, js, fonts, etc.)
    # so those requests don't hit the PHP app
    # (this is to reduce load on the PHP app from bots and scanners)
    <LocationMatch "\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|zip|mp3|mp4|avi|mov)$">
        <RequireAll>
            Require all denied
        </RequireAll>
    </LocationMatch>

    # Enable rewrite engine
    <Directory "/var/www/tkr/public">
        Options -Indexes
        AllowOverride None
        Require all granted

        RewriteEngine On

        # Block direct PHP access
        RewriteCond %{THE_REQUEST} \s/[^?\s]*\.php[\s?] [NC]
        RewriteRule ^.*$ - [R=404,L]

        # Serve the one static file that exists: css/tkr.css
        # (Pass requests to css/custom/ through to the PHP app)
        RewriteCond %{REQUEST_URI} !^/css/custom/
        RewriteRule ^css/tkr\.css$ css/tkr.css [L]

        # Everything else to front controller
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^(.*)$ index.php [L]
    </Directory>

    # Error and access logs
    ErrorLog ${APACHE_LOG_DIR}/tkr_error.log
    CustomLog ${APACHE_LOG_DIR}/tkr_access.log combined
</VirtualHost>