ServerRoot "/usr/local/apache2"

Listen 80

LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
#LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule remoteip_module modules/mod_remoteip.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule status_module modules/mod_status.so
#LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so

LoadModule session_module modules/mod_session.so
LoadModule session_crypto_module modules/mod_session_crypto.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule request_module modules/mod_request.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_form_module modules/mod_auth_form.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule dbd_module modules/mod_dbd.so

LoadModule macro_module modules/mod_macro.so
LoadModule rewrite_module modules/mod_rewrite.so

<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemon
</IfModule>

ServerAdmin you@example.com

ServerName feedati-fe:80

DBDriver pgsql
DBDParams "host=db dbname=feeds user=apache password=apachepass"

<Macro Auth>
    AuthFormLoginRequiredLocation "/login/"
# authn
    AuthFormProvider dbd
    AuthDBDUserPWQuery "SELECT password FROM users.users WHERE username = %s"
# form
    AuthType form
    AuthName "authenticationform"
# mod_session
    Session On
    SessionCookieName session path=/;httponly
    SessionCryptoPassphrase changeme!really!
</Macro>

<Location "/login/do">
SetHandler form-login-handler
Use Auth
AuthFormLoginSuccessLocation "/panel/"
</Location>
<Location "/logout">
    SetHandler form-logout-handler
    AuthFormLogoutLocation "/login/logout.html"
    Session on
</Location>

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www"
<Directory "/var/www">
    Options None
    AllowOverride None
    Use Auth
    Require all granted
</Directory>

<Files ".ht*">
    Require all denied
</Files>

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog /proc/self/fd/2

# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog /proc/self/fd/1 common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "logs/access_log" combined
</IfModule>

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig conf/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includesC (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

Redirect permanent "/tt-rss" "/tt-rss/"

Header always set Referrer-Policy "same-origin"
Header always setifempty Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
Header always setifempty X-XSS-Protection "1; mode=block"
Header always setifempty X-Frame-Options "deny"

ProxyPreserveHost On
<Location /tt-rss/>
ProxyPass http://tt-rss/tt-rss/
ProxyPassReverse http://tt-rss/tt-rss/
Use Auth
Require valid-user
RewriteEngine on
RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-Forwarded-User %{RU}e
</Location>

Redirect permanent "/rss-bridge" "/rss-bridge/"

<Location /rss-bridge/>
ProxyPass http://rss-bridge/
ProxyPassReverse http://rss-bridge/
Require all granted
</Location>

<Location /panel/>
ProxyPass http://panel:8000/
ProxyPassReverse http://panel:8000/
Use Auth
Require valid-user
RewriteEngine on
RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-Forwarded-User %{RU}e
</Location>

# vim: set ft=apache bkc=yes: