###
### Apache configuration file for Signal-Server
### 

### VirtualHost for the main service:

<VirtualHost *:443>
	ServerName cable-service.cable.im
	SSLEngine On

	# Per il servizio Signal vero e proprio usiamo invece il certificato self-signed.
	# Nel keystore del'app Android è il root certificate della nostra CA, assicurando
	# così che l'app riconosca come validi solo i certificati emessi dalla nostra CA.

	SSLCertificateFile /home/cable/certificati/whisper.crt
	SSLCertificateKeyFile /home/cable/certificati/whisper.key
	Include /etc/letsencrypt/options-ssl-apache.conf
	#SSLCACertificateFile /home/cable/certificati/rootCA.crt

	# Doesn't make sense for self-signed certificates:
	SSLUseStapling Off

	# Per proxare websocket (ws://) serve questa roba:
	# https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
	#
	# Con ProxyPass non sono riuscito a fare il proxy http+websocket.
	# Ho provato con solo "ProxyPass ws://127.0.0.1:4242/" e anche
	# mettendo un ProxyPass per http:// e uno per ws://, non va.
	# Alla fine ho trovato la soluzione usando mod_rewrite leggendo
	# di gente che ha avuto lo stesso problema (con altri software):
	#
	# https://stackoverflow.com/questions/27526281/websockets-and-apache-proxy-how-to-configure-mod-proxy-wstunnel
	#
	# Forse non ottimale, ma comunque in produzione lo farei con nginx...

	RewriteEngine On
	RewriteCond %{HTTP:Upgrade} =websocket [NC]
	RewriteRule /(.*)           ws://127.0.0.1:4242/$1 [P,L]
	RewriteCond %{HTTP:Upgrade} !=websocket [NC]
	RewriteRule /(.*)           http://127.0.0.1:4242/$1 [P,L]

	ProxyPassReverse / http://127.0.0.1:4242/

	CustomLog "/var/log/httpd/cable/cable-service.cable.im.access.log" combined
	ErrorLog "/var/log/httpd/cable/cable-service.cable.im.error.log"
	LogLevel warn

	# Production:
	#CustomLog "/dev/null"
	#ErrorLog "/dev/null"
</VirtualHost>


### VirtualHost for letting Twilio call back:

<VirtualHost *:443>
	ServerName cable-service-ca.cable.im
	SSLEngine On

	# Su cable-service-ca.cable.im serve un certificato valido (letsencrypt).
	# È l'hostname a cui si connette Twilio per ottenere le informazioni
	# necessarie a fare la verifica del numero tramite chiamata vocale.

	SSLCertificateFile /etc/letsencrypt/live/cable-service-ca.cable.im/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/cable-service-ca.cable.im/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateChainFile /etc/letsencrypt/live/cable-service-ca.cable.im/chain.pem

	ProxyVia On
	ProxyPreserveHost On
	ProxyPass / http://127.0.0.1:4242/
	ProxyPassReverse / http://127.0.0.1:4242/

	CustomLog "/var/log/httpd/cable/cable-service-ca.cable.im.access.log" combined
	ErrorLog "/var/log/httpd/cable/cable-service-ca.cable.im.error.log"
	LogLevel warn

	# Production:
	#CustomLog "/dev/null"
	#ErrorLog "/dev/null"
</VirtualHost>


### Giphy proxy:

<VirtualHost *:80>
	ServerName giphy.com
	ServerAlias *.giphy.com
	ProxyRequests On

	# The AllowConnect directive specifies a list of ports
	# to which the proxy CONNECT method may connect.
	AllowConnect 443

	# Only allow HTTP CONNECT requests, denying the others (GET, POST, ...).
	<Location />
		Require method CONNECT
	</Location>

	# This <Proxy *> block is not really needed, but let's leave it.
	<Proxy *>
		# New syntax, see https://httpd.apache.org/docs/2.4/upgrading.html
		# Can't be mixed with the old "Order" and "Allow" stuff, so we stay
		# with the old syntax for now...
		#Require all denied

		Order deny,allow
		Deny from all
	</Proxy>

	<Proxy "*.giphy.com:443">
		#Require all granted

		Order allow,deny
		Allow from all
	</Proxy>

	CustomLog "/var/log/httpd/cable/giphy-proxy.cable.im.access.log" combined
	ErrorLog "/var/log/httpd/cable/giphy-proxy.cable.im.error.log"
	LogLevel warn

	# Production:
	#CustomLog "/dev/null"
	#ErrorLog "/dev/null"
</VirtualHost>


### Adminer (adminer.org):

<VirtualHost *:443>
	ServerName db.cable.im
	SSLEngine On

	SSLCertificateFile /etc/letsencrypt/live/db.cable.im/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/db.cable.im/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateChainFile /etc/letsencrypt/live/db.cable.im/chain.pem

	DocumentRoot "/var/www/adminer/"

	<Directory /var/www/adminer/>
		AuthType Basic
		AuthUserFile "/var/www/adminer/.htpasswd"
		AuthName "Adminer"
		Require valid-user
	</Directory>

	<Files ".*">
		#Require all denied
		Order deny,allow
		Deny from all
	</Files>

	CustomLog "/var/log/httpd/cable/db.cable.im.access.log" combined
	ErrorLog "/var/log/httpd/cable/db.cable.im.error.log"
	LogLevel warn
</VirtualHost>


### Minio

<VirtualHost *:443>
	ServerName s3.cable.im
	SSLEngine On

	SSLCertificateFile /etc/letsencrypt/live/s3.cable.im/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/s3.cable.im/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateChainFile /etc/letsencrypt/live/s3.cable.im/chain.pem

	ProxyVia On
	ProxyPreserveHost On
	ProxyPass / http://127.0.0.1:9000/
	ProxyPassReverse / http://127.0.0.1:9000/

	CustomLog "/var/log/httpd/cable/s3.cable.im.access.log" combined
	ErrorLog "/var/log/httpd/cable/s3.cable.im.error.log"
	LogLevel warn

	# Production:
	#CustomLog "/dev/null"
	#ErrorLog "/dev/null"
</VirtualHost>