# Harheimer TC Website - HTTPS VirtualHost
# Speichern unter: /etc/apache2/sites-available/harheimertc.tsschulz.de-ssl.conf

<VirtualHost *:443>
    ServerName harheimertc.tsschulz.de
    ServerAdmin admin@tsschulz.de

    ErrorLog ${APACHE_LOG_DIR}/harheimertc-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/harheimertc-ssl-access.log combined

    # SSL-Konfiguration
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/harheimertc.tsschulz.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/harheimertc.tsschulz.de/privkey.pem

    # Moderne SSL-Konfiguration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off

    # Security Headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

    # Proxy alle Anfragen an Nuxt Server (Port 3100)
    ProxyPreserveHost On
    ProxyPass / http://localhost:3100/
    ProxyPassReverse / http://localhost:3100/
</VirtualHost>

# HTTP zu HTTPS Redirect
<VirtualHost *:80>
    ServerName harheimertc.tsschulz.de
    ServerAdmin admin@tsschulz.de

    ErrorLog ${APACHE_LOG_DIR}/harheimertc-redirect-error.log
    CustomLog ${APACHE_LOG_DIR}/harheimertc-redirect-access.log combined

    # Redirect zu HTTPS
    RewriteEngine On
    RewriteCond %{SERVER_NAME} =harheimertc.tsschulz.de
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>