# Apache configuration file for Zope
# Automatically generated

# Basic server configuration
PidFile "{{ pid_file }}"
ServerName {{ domain }}
DocumentRoot {{ document_root }}
ServerRoot {{ instance_home }}

{{ "Listen %s:%s" % (ipv4_addr, cached_port)  }}
{{ "Listen %s:%s" % (ipv4_addr, ssl_cached_port)  }}
{% for ip in (ipv4_addr, "[%s]" % ipv6_addr) -%}
{%   for port in (http_port, https_port) -%}
{{ "Listen %s:%s" % (ip, port)  }}
{%   endfor -%}
{% endfor -%}

ServerAdmin {{ server_admin }}
TypesConfig {{ httpd_home }}/conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

# As backend is trusting REMOTE_USER header unset it always
RequestHeader unset REMOTE_USER

ServerTokens Prod

# Disable TRACE Method
TraceEnable off

# Log configuration
ErrorLog "{{ error_log }}"
LogLevel notice
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b" common
# CustomLog "{{ access_log }}" common
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ access_log }}" combined

<Directory {{ protected_path }}>
  Order Deny,Allow
  Allow from {{ access_control_string }}
</Directory>

<Directory {{ document_root }}>
  Require all granted
  Options -Indexes
  ErrorDocument 404 /notfound.html
  RewriteEngine on
  RewriteRule ^/?$ notfound.html [R=404,L]
</Directory>

# List of modules
LoadModule unixd_module        {{ httpd_home }}/modules/mod_unixd.so
LoadModule access_compat_module {{ httpd_home }}/modules/mod_access_compat.so
LoadModule authz_core_module  {{ httpd_home }}/modules/mod_authz_core.so
LoadModule authz_host_module  {{ httpd_home }}/modules/mod_authz_host.so
LoadModule authn_core_module  {{ httpd_home }}/modules/mod_authn_core.so
LoadModule log_config_module  {{ httpd_home }}/modules/mod_log_config.so
LoadModule deflate_module     {{ httpd_home }}/modules/mod_deflate.so
LoadModule setenvif_module    {{ httpd_home }}/modules/mod_setenvif.so
LoadModule version_module     {{ httpd_home }}/modules/mod_version.so
LoadModule proxy_module       {{ httpd_home }}/modules/mod_proxy.so
LoadModule proxy_http_module  {{ httpd_home }}/modules/mod_proxy_http.so
LoadModule ssl_module         {{ httpd_home }}/modules/mod_ssl.so
LoadModule mime_module        {{ httpd_home }}/modules/mod_mime.so
LoadModule dav_module         {{ httpd_home }}/modules/mod_dav.so
LoadModule dav_fs_module      {{ httpd_home }}/modules/mod_dav_fs.so
LoadModule negotiation_module {{ httpd_home }}/modules/mod_negotiation.so
LoadModule rewrite_module     {{ httpd_home }}/modules/mod_rewrite.so
LoadModule headers_module     {{ httpd_home }}/modules/mod_headers.so
LoadModule cache_module       {{ httpd_home }}/modules/mod_cache.so
LoadModule cache_socache_module   {{ httpd_home }}/modules/mod_cache_socache.so
LoadModule socache_shmcb_module   {{ httpd_home }}/modules/mod_socache_shmcb.so
LoadModule antiloris_module   {{ httpd_home }}/modules/mod_antiloris.so
LoadModule alias_module       {{ httpd_home }}/modules/mod_alias.so
LoadModule autoindex_module   {{ httpd_home }}/modules/mod_autoindex.so
LoadModule auth_basic_module  {{ httpd_home }}/modules/mod_auth_basic.so
LoadModule authz_user_module  {{ httpd_home }}/modules/mod_authz_user.so
LoadModule authn_file_module  {{ httpd_home }}/modules/mod_authn_file.so
LoadModule filter_module       {{ httpd_home }}/modules/mod_filter.so
LoadModule http2_module       {{ httpd_home }}/modules/mod_http2.so
LoadModule info_module        {{ httpd_home }}/modules/mod_info.so
LoadModule status_module      {{ httpd_home }}/modules/mod_status.so
LoadModule reqtimeout_module  {{ httpd_home }}/modules/mod_reqtimeout.so

# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully


{% if slapparameter_dict.get('enable-http2-by-default', 'true') == 'true' %}
Protocols h2 http/1.1
{% endif %}

# Increase IPReadLimit to 10
<IfModule antiloris_module>
   # IPReadLimit - Maximum simultaneous connections in READ state per IP address 
   IPReadLimit {{ slapparameter_dict.get('ip-read-limit', '10') }}
</IfModule>

ExtendedStatus On
<Location /server-status>
    SetHandler server-status
    Order Deny,Allow
    Deny from all
    Allow from All

    AuthType basic
    AuthName "Apache Server Status"
    AuthBasicProvider file
    AuthUserFile {{ instance_home }}/etc/monitor-htpasswd
    Require valid-user
</Location>

ServerLimit {{ slapparameter_dict.get('mpm-server-limit', '16') }}
MaxClients {{ slapparameter_dict.get('mpm-max-clients', '400') }}
StartServers {{ slapparameter_dict.get('mpm-start-servers', '3') }}
ThreadsPerChild {{ slapparameter_dict.get('mpm-thread-per-child', '25') }}
#MaxRequestsPerChild 0 // Default value is 0
GracefulShutdownTimeout {{ slapparameter_dict.get('mpm-graceful-shutdown-timeout', '5') }}

# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# SSL Configuration
SSLCertificateFile {{ login_certificate }}
SSLCertificateKeyFile {{ login_key }}
{% if slapparameter_dict.get('apache-ca-certificate') %}
SSLCACertificateFile {{ login_ca_crt }}
{% endif %}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
</FilesMatch>
# Accept proxy to sites using self-signed SSL certificates
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

include {{frontend_configuration.get('log-access-configuration')}}
include {{ slave_configuration_directory }}/*.conf
include {{ slave_with_cache_configuration_directory }}/*.conf

ErrorDocument 404 /notfound.html
RewriteRule (.*) /notfound.html [R=404,L]