# Harheimer TC Website - HTTPS VirtualHost
# Speichern unter: /etc/apache2/sites-available/harheimertc.tsschulz.de-ssl.conf

<VirtualHost *:443>
    ServerName harheimertc.tsschulz.de
    ServerAdmin admin@tsschulz.de

    ErrorLog ${APACHE_LOG_DIR}/harheimertc-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/harheimertc-ssl-access.log combined

    # SSL-Konfiguration
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/harheimertc.tsschulz.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/harheimertc.tsschulz.de/privkey.pem

    # Moderne SSL-Konfiguration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off

    # Security Headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    # X-Frame-Options entfernt - verwenden CSP frame-ancestors stattdessen (modernere Lösung)
    # Header always set X-Frame-Options SAMEORIGIN
    # X-Content-Type-Options wird vom Nuxt-Server gesetzt
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    
    # Frame-Ancestors: Erlaubt Einbettung von harheimertc.de und www.harheimertc.de
    # Wird vom Nuxt-Server gesetzt, aber hier als Fallback für den Fall, dass CSP nicht aktiviert ist
    Header always set Content-Security-Policy "frame-ancestors 'self' https://harheimertc.de https://www.harheimertc.de"

    # Optional: Vollständige Content Security Policy (zusätzlich zu frame-ancestors)
    # Header always set Content-Security-Policy-Report-Only "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self' https://harheimertc.de https://www.harheimertc.de; font-src 'self' https://fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self'; img-src 'self' data: blob:; connect-src 'self'"

    # Proxy alle Anfragen an Nuxt Server (Port 3100)
    ProxyPreserveHost On
    ProxyPass / http://localhost:3100/
    ProxyPassReverse / http://localhost:3100/
</VirtualHost>

# HTTP zu HTTPS Redirect
<VirtualHost *:80>
    ServerName harheimertc.tsschulz.de
    ServerAdmin admin@tsschulz.de

    ErrorLog ${APACHE_LOG_DIR}/harheimertc-redirect-error.log
    CustomLog ${APACHE_LOG_DIR}/harheimertc-redirect-access.log combined

    # Redirect zu HTTPS
    RewriteEngine On
    RewriteCond %{SERVER_NAME} =harheimertc.tsschulz.de
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>