harheimertc/apache-static.conf

# Harheimer TC Website - Statische Website (HTTPS)
# Speichern unter: /etc/apache2/sites-available/harheimertc.tsschulz.de-static.conf

<VirtualHost *:443>
    ServerName harheimertc.tsschulz.de
    ServerAdmin admin@tsschulz.de

    DocumentRoot /var/www/harheimertc/dist

    ErrorLog ${APACHE_LOG_DIR}/harheimertc-static-error.log
    CustomLog ${APACHE_LOG_DIR}/harheimertc-static-access.log combined

    # SSL-Konfiguration
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/harheimertc.tsschulz.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/harheimertc.tsschulz.de/privkey.pem

    # Moderne SSL-Konfiguration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off

    # Security Headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    # X-Frame-Options entfernt - verwenden CSP frame-ancestors stattdessen (modernere Lösung)
    # Header always set X-Frame-Options SAMEORIGIN
    Header always set X-Content-Type-Options nosniff
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Frame-Ancestors: Erlaubt Einbettung von harheimertc.de und www.harheimertc.de
    Header always set Content-Security-Policy "frame-ancestors 'self' https://harheimertc.de https://www.harheimertc.de"

    # Optional: Vollständige Content Security Policy (zusätzlich zu frame-ancestors)
    # Header always set Content-Security-Policy-Report-Only "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self' https://harheimertc.de https://www.harheimertc.de; font-src 'self' https://fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self'; img-src 'self' data: blob:; connect-src 'self'"

    # SPA Fallback für Nuxt.js
    <Directory "/var/www/harheimertc/dist">
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
        
        # Fallback für Client-Side Routing
        RewriteEngine On
        RewriteBase /
        RewriteRule ^index\.html$ - [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.html [L]
    </Directory>
</VirtualHost>

# HTTP zu HTTPS Redirect
<VirtualHost *:80>
    ServerName harheimertc.tsschulz.de
    ServerAdmin admin@tsschulz.de

    ErrorLog ${APACHE_LOG_DIR}/harheimertc-redirect-error.log
    CustomLog ${APACHE_LOG_DIR}/harheimertc-redirect-access.log combined

    # Redirect zu HTTPS
    RewriteEngine On
    RewriteCond %{SERVER_NAME} =harheimertc.tsschulz.de
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>