# This is the apache configuration file for RocketGit

<Directory "/usr/share/rocketgit/root">
	AllowOverride None
	Order allow,deny
	Allow from all

	<IfModule mod_authz_core.c>
	# apache 2.4
	Require all granted
	</IfModule>

	# Cache at will
	<FilesMatch "(?i)^.*\.(ico|jpg|jpeg|png|gif|js|css)$">
		FileETag MTime Size
		<IfModule mod_expires.c>
			ExpiresActive On
			ExpiresDefault "access plus 1 day"
		</IfModule>
	</FilesMatch>
</Directory>

<VirtualHost *:80>
	# Set ServerName correctly, else, this VirtualHost will not match
	#ServerName rg.domain.tld
	#ServerAlias rg www.rg.domain.tld x.domain.tld y.domain.tld

	DocumentRoot /usr/share/rocketgit/root/
	ErrorLog logs/rocketgit-error_log
	CustomLog logs/rocketgit-access_log combined

	KeepAlive On
	MaxKeepAliveRequests 1000
	KeepAliveTimeout 10
	TraceEnable off
	ServerSignature Off
	UseCanonicalName On
	UseCanonicalPhysicalPort On
	LogLevel info

	RewriteEngine On
	#LogLevel rewrite:trace8

	# Allow .ico, 'themes' folder and robots.txt
	# Also, avoid scripts that are looking for exploits
	RewriteCond %{REQUEST_URI} ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$
	RewriteRule .* - [last]

	# Force the use of only one name even if we have more aliases.
	# https://httpd.apache.org/docs/2.4/rewrite/remapping.html
	#RewriteCond expr "%{HTTP_HOST} != %{SERVER_NAME}"
	#RewriteRule "^/?(.*)"		"http://%{SERVER_NAME}:%{SERVER_PORT}/$1"	[last,redirect=301,noescape]

	# all rest
	RewriteRule (.*) /index.php [last]


	<IfModule mod_headers.c>
	# Security (ClickJacking)
	Header always append X-Frame-Options DENY
	</IfModule>

	# Compress
	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript
	DeflateBufferSize 81920

	<FilesMatch "\.php$">
		SetHandler "proxy:unix:/run/php-fpm/rocketgit.sock|fcgi://localhost"
	</FilesMatch>
</VirtualHost>

<VirtualHost *:443>
	# Set ServerName correctly, else, this VirtualHost will not match
	#ServerName rg.domain.tld
	#ServerAlias rg www.rg.domain.tld

	DocumentRoot /usr/share/rocketgit/root/
	ErrorLog logs/rocketgit-ssl_error_log
	CustomLog logs/rocketgit-ssl_access_log combined

	KeepAlive On
	MaxKeepAliveRequests 1000
	KeepAliveTimeout 10
	TraceEnable off
	ServerSignature Off
	UseCanonicalName On
	UseCanonicalPhysicalPort On
	LogLevel info

	RewriteEngine On
	#LogLevel rewrite:trace8

	# Allow .ico, 'themes' folder and robots.txt
	RewriteCond %{REQUEST_URI} ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$
	RewriteRule .* - [last]

	# Force the use of only one name even if we have more aliases.
	# https://httpd.apache.org/docs/2.4/rewrite/remapping.html
	#RewriteCond expr "%{HTTP_HOST} != %{SERVER_NAME}"
	#RewriteRule "^/?(.*)"		"https://%{SERVER_NAME}:%{SERVER_PORT}/$1"	[last,redirect=301,noescape]

	# all rest
	RewriteRule (.*) /index.php [last]


	<IfModule mod_headers.c>
	# Security (ClickJacking)
	Header always append X-Frame-Options DENY
	# Add this for SSL
	Header set Strict-Transport-Security "max-age=31536000"
	</IfModule>

	LogLevel warn
	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	# Specify the cyphers to get an A+ on Qualys (ssllabs.com)
	# https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
	# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/
	SSLHonorCipherOrder on
	# Below is "Configure without RC4" configuration and is recommended.
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

	# or, respect the system settings:
	# Pay attention on next line! It fails on RedHat6!
	#SSLCipherSuite PROFILE=SYSTEM

	# https://mozilla.github.io/server-side-tls/ssl-config-generator/
	# TODO
	#SSLUseStapling				on
	#SSLStaplingResponderTimeout		5
	#SSLStaplingReturnResponderErrors	off
	# Another line here must be 'SSLCACertificateFile ...'
	# below line must be outside of VirtualHost section
	# SSLStaplingCache			shmcb:/run/httpd/ocsp(128000)

	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
	# To generate pin-sha256 string: openssl s_client -servername <server> -connect <server>:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
	# Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains; report-uri=\"https://www.example.org/hpkp-report\""
	# Header always set Public-Key-Pins-Report-Only ... # to not block users!

	SSLCertificateFile /etc/pki/tls/certs/localhost.crt
	SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

	<Files ~ "\.(cgi|shtml|phtml|php3?)$">
		SSLOptions +StdEnvVars
	</Files>

	# Compress
	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript
	DeflateBufferSize 81920

	<FilesMatch "\.php$">
		SetHandler "proxy:unix:/run/php-fpm/rocketgit.sock|fcgi://localhost"
	</FilesMatch>
</VirtualHost>