# Apache configuration file for Zope
# Automatically generated

# Basic server configuration
PidFile "{{ pid_file }}"
ServerName {{ domain }}
DocumentRoot {{ document_root }}
ServerRoot {{ instance_home }}

{% for ip in (ipv4_addr, "[%s]" % ipv6_addr) -%}
{%   for port in (http_port, https_port) -%}
{{ "Listen %s:%s" % (ip, port)  }}
{%   endfor -%}
{% endfor -%}

ServerAdmin {{ server_admin }}
DefaultType text/plain
TypesConfig {{ httpd_home }}/conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

# As backend is trusting REMOTE_USER header unset it always
RequestHeader unset REMOTE_USER

ServerTokens Prod

# Log configuration
ErrorLog "{{ error_log }}"
LogLevel info
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b" common
# CustomLog "{{ access_log }}" common
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ access_log }}" combined

<Directory {{ protected_path }}>
  Order Deny,Allow
  Allow from {{ access_control_string }}
</Directory>

<Directory {{ document_root }}>
  Order Allow,Deny
  Allow from All
</Directory>

# List of modules
#LoadModule unixd_module modules/mod_unixd.so
#LoadModule access_compat_module modules/mod_access_compat.so
#LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_host_module  {{ httpd_home }}/modules/mod_authz_host.so
LoadModule log_config_module  {{ httpd_home }}/modules/mod_log_config.so
LoadModule deflate_module     {{ httpd_home }}/modules/mod_deflate.so
LoadModule setenvif_module    {{ httpd_home }}/modules/mod_setenvif.so
LoadModule version_module     {{ httpd_home }}/modules/mod_version.so
LoadModule proxy_module       {{ httpd_home }}/modules/mod_proxy.so
LoadModule proxy_http_module  {{ httpd_home }}/modules/mod_proxy_http.so
LoadModule ssl_module         {{ httpd_home }}/modules/mod_ssl.so
LoadModule mime_module        {{ httpd_home }}/modules/mod_mime.so
LoadModule dav_module         {{ httpd_home }}/modules/mod_dav.so
LoadModule dav_fs_module      {{ httpd_home }}/modules/mod_dav_fs.so
LoadModule negotiation_module {{ httpd_home }}/modules/mod_negotiation.so
LoadModule rewrite_module     {{ httpd_home }}/modules/mod_rewrite.so
LoadModule headers_module     {{ httpd_home }}/modules/mod_headers.so
LoadModule cache_module       {{ httpd_home }}/modules/mod_cache.so
LoadModule mem_cache_module   {{ httpd_home }}/modules/mod_mem_cache.so
LoadModule antiloris_module   {{ httpd_home }}/modules/mod_antiloris.so
LoadModule alias_module       {{ httpd_home }}/modules/mod_alias.so
LoadModule autoindex_module   {{ httpd_home }}/modules/mod_autoindex.so
LoadModule auth_basic_module  {{ httpd_home }}/modules/mod_auth_basic.so
LoadModule authz_user_module  {{ httpd_home }}/modules/mod_authz_user.so
LoadModule authn_file_module  {{ httpd_home }}/modules/mod_authn_file.so

# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

# Increase IPReadLimit to 10
<IfModule antiloris_module>
   # IPReadLimit - Maximum simultaneous connections in READ state per IP address 
   IPReadLimit {{ slapparameter_dict.get('ip-read-limit', '10') }}
</IfModule>

# Cache directives
CacheEnable mem /
CacheDefaultExpire 3600
MCacheSize 8192
MCacheMaxObjectCount 1000
MCacheMaxObjectSize 8192
MCacheRemovalAlgorithm LRU

# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# SSL Configuration
SSLCertificateFile {{ login_certificate }}
SSLCertificateKeyFile {{ login_key }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
<FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
</FilesMatch>
# Accept proxy to sites using self-signed SSL certificates
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

include {{frontend_configuration.get('log-access-configuration')}}

NameVirtualHost *:{{ http_port }}
NameVirtualHost *:{{ https_port }}
include {{ slave_configuration_directory }}/*.conf