## SPDX-License-Identifier: AGPL-3.0-or-later
##
## DO NOT EDIT. If you do, FreedomBox will not automatically upgrade.
##
## Apache configuration managed by FreedomBox. If customization is needed,
## create a new configuration file with higher priority and override directives.
##

##
## TLS configuration as recommended by Mozilla's SSL Configuration Generator
## with 'Intermediate' configuration. See:
## https://wiki.mozilla.org/Security/Server_Side_TLS
##
<IfModule mod_ssl.c>
    # Disable ciphers that are weak or without forward secrecy.
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

    # Allow client to choose ciphers as they will know best if they have support
    # for hardware-accelerated AES.
    SSLHonorCipherOrder off

    # TLS session tickets (RFC 5077) require restarting web server with an
    # appropriate frequency. See:
    # https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
    SSLSessionTickets off

    # Send OCSP responses to the client and reduce their round trips.
    <IfModule mod_socache_shmcb.c>
        SSLUseStapling On
        SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"
    </IfModule>
</IfModule>

##
## Enable HSTS, even for subdomains.
##
<If "%{HTTP_HOST} !~ /^.*\.onion$/i">
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</If>

##
## Redirect traffic on home to /plinth as part of turning the machine
## into FreedomBox server.  Plinth then acts as a portal to reach all
## other services.
##
<IfFile !/etc/apache2/conf-enabled/freedombox-apache-homepage.conf>
    RedirectMatch "^/$" "/plinth"
</IfFile>

##
## On all sites, provide FreedomBox on a default path: /plinth
##
## Requires the following Apache modules to be enabled:
##   mod_headers
##   mod_proxy
##   mod_proxy_http
##
<Location /freedombox>
    ProxyPass        http://127.0.0.1:8000/plinth
    ## Send the scheme from user's request to enable Plinth to redirect
    ## URLs, set cookies, set absolute URLs (if any) properly.
    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS

    ## Ignore any X-FORWARDED-FOR headers sent by the client and their
    ## proxies. Apache will still set this header with the remote
    ## address of the client. Apache is the first and only trusted entry
    ## point for FreedomBox. Any code that does not deal with this
    ## header properly will remain safe. For example:
    ## https://github.com/jazzband/django-axes/issues/286
    RequestHeader    unset X-Forwarded-For
</Location>
<Location /plinth>
    ProxyPass        http://127.0.0.1:8000/plinth
    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
    RequestHeader    unset X-Forwarded-For
</Location>

##
## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
## icon using <link rel=''>.
##
<Location ~ ^/favicon\.ico$>
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule /favicon\.ico$ "/plinth/static/theme/img/favicon.ico" [PT]
    </IfModule>
</Location>

##
## Serve SVG files compressed using gzip.
##
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

##
## Send all logs to systemd journal by default. This may be overridden per host
## in <VirtualHost>. With all system logs in journald, it is possible to turn
## off persistent logging to improve SD card lifetime and performance. It is
## also easy to improve privacy by turning off logging altogether.
##
## - To obtain the old style access log run the following command (note that the
## first field is the name of the virtual host accessed as Apache format logged
## is vhost_combined):
##   journalctl --identifier apache-access --output cat > access.log
##
## - To obtain the old style error log run the following command:
##   journalctl --identifier apache-error --output cat > error.log
##
ErrorLog "|/usr/bin/systemd-cat --identifier=apache-error"
# Remove timestamp at the beginning from the default log format. journald
# records its own timestamp.
ErrorLogFormat "[%-m:%l] [pid %P:tid %{g}T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
CustomLog "|/usr/bin/systemd-cat --identifier=apache-access" vhost_combined

## When showing an index page for a directory listing, ensure that viewport's
## width is the same as the device's width. Directory index pages generated by
## mod_autoindex are reasonably suitable for mobile devices. However, without
## the directive, mobile devices will assume the page to be not-mobile friendly
## and use a larger view port than the device size.
<IfModule mod_autoindex.c>
    IndexHeadInsert "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">"
</IfModule>