# Apache2 SSL configuration for a virtualhost proxied to a Docker service.
# Uses https://github.com/acmesh-official/acme.sh to manage SSL certificates.

<IfModule mod_ssl.c>
    <VirtualHost *:443 >
	ServerAdmin     webmaster@$PAR_SERVERNAME
	ServerName      $PAR_SERVERNAME
#   	ServerAlias     $PAR_SERVERNAMES
	DocumentRoot	/var/www/html

	# Common log settings.
	ErrorLog            $PAR_SERVICE/logs/web/error.log
	CustomLog           $PAR_SERVICE/logs/web/access.log combined

	# Custom error messages.
	<IfModule mod_macro.c>
	    <Macro try_other $response>
		ErrorDocument $response "<span style='font-size: x-large'>Sorry try <a href='http://$PAR_SERVERNAME/$PAR_LOCATION'>http://$PAR_SERVERNAME/$PAR_LOCATION</a> instead.</span>"
	    </Macro>
	    <Macro try_later $response>
		ErrorDocument $response "<span style='font-size: x-large'>Sorry something went wrong. Try again a bit later.<br>\
        	                         You may report this at <a href='mailto:webmaster@$PAR_SERVERNAME'>webmaster@$PAR_SERVERNAME</a>.</span>"
	    </Macro>
        </IfModule>

	# No static service.
	# Sequence matters: http://httpd.apache.org/docs/2.4/sections.html#file-and-web
#	<Location />
#	    Require all denied
#	    # Custom error message.
#	    <IfModule mod_macro.c>
#    		Use try_other 403
#    		Use try_other 404
#	    </IfModule>
#	</Location>

	# Let's Encrypt (acme.sh) support.
	<Location /.well-known/>
	    <IfModule mod_proxy.c>
        	Require all granted
        	ProxyPreserveHost On
    		ProxyPass http://$PAR_ACMEHOST:$PAR_ACMEPORT/
		ProxyPassReverse http://$PAR_ACMEHOST:$PAR_ACMEPORT/
		# Custom error message.
		<IfModule mod_macro.c>
        	    Use try_later 500
        	    Use try_later 502
        	    Use try_later 503
        	    Use try_later 504
		</IfModule>
	    </IfModule>
	    <IfModule !mod_proxy.c>
		# Custom error message.
		<IfModule mod_macro.c>
        	    Use try_other 403
        	    Use try_other 404
		</IfModule>
	    </IfModule>
	</Location>

        <Location /$PAR_LOCATION>
	    <IfModule mod_proxy.c>
        	Require all granted
        	ProxyPreserveHost On
    		ProxyPass http://$PAR_PROXYHOST:$PAR_PROXYPORT/$PAR_LOCATION
		ProxyPassReverse http://$PAR_PROXYHOST:$PAR_PROXYPORT/$PAR_LOCATION
		# Custom error message.
		<IfModule mod_macro.c>
        	    Use try_later 500
        	    Use try_later 502
        	    Use try_later 503
        	    Use try_later 504
		</IfModule>
	    </IfModule>
	    <IfModule !mod_proxy.c>
		# Custom error message.
		<IfModule mod_macro.c>
        	    Use try_later 403
        	    Use try_later 404
		</IfModule>
	    </IfModule>
	</Location>

	##################################################################################
	# The SSL part
	# https://ssl-config.mozilla.org/

	SSLEngine on
	SSLCertificateFile	$PAR_SERVICE/configs/acme/$PAR_SERVERNAME/fullchain.cer
	SSLCertificateKeyFile   $PAR_SERVICE/configs/acme/$PAR_SERVERNAME/$PAR_SERVERNAME.key

	# Settings to achieve 'A' grade on https://www.ssllabs.com/ssltest/
	SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
	SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	SSLHonorCipherOrder     off
	SSLSessionTickets       off

	# HTTP/2, if available.
	<IfModule mod_http2.c>
	    Protocols h2 http/1.1
	</IfModule>

	# HTTP Strict Transport Security and XSS protection.
        <IfModule mod_headers.c>
	    Header always set Strict-Transport-Security "max-age=63072000"
	    Header set X-Frame-Options SAMEORIGIN
	    Header set X-Content-Type-Options nosniff
	</IfModule>

    </Virtualhost>
</IfModule>