# Following variables MUST be modified according to your setup
Define funkwhale-sn funkwhale.local

# Following variables should be modified according to your setup and if you
# use different configuration than what is described in our installation guide.
Define funkwhale-api http://localhost:5000
Define funkwhale-api-ws ws://localhost:5000

Define FUNKWHALE_FRONTEND_PATH /usr/share/webapps/funkwhale/front/dist
Define FUNKWHALE_DATA_PATH /srv/funkwhale/data
Define APACHE_LOG_DIR /var/log/httpd

<IfModule mod_alias.c>
    Alias /funkwhale ${FUNKWHALE_FRONTEND_PATH}
</IfModule>


# HTTP requests redirected to HTTPS
<VirtualHost *:80>
   ServerName ${funkwhale-sn}

   # Default is to force https
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =${funkwhale-sn}
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

   <Location "/.well-known/acme-challenge/">
      Options None
      Require all granted
   </Location>
</VirtualHost>


<IfModule mod_ssl.c>
<VirtualHost *:443>
#   Protocols h2 http/1.1
   ServerName ${funkwhale-sn}

   # Path to ErrorLog and access log
   ErrorLog ${APACHE_LOG_DIR}/funkwhale/error.log
   CustomLog ${APACHE_LOG_DIR}/funkwhale/access.log combined

   # TLS
   # Feel free to use your own configuration for SSL here or simply remove the
   # lines and move the configuration to the previous server block if you
   # don't want to run funkwhale behind https (this is not recommended)
   # have a look here for let's encrypt configuration:
   # https://certbot.eff.org/lets-encrypt/debianstretch-apache.html
   SSLEngine on
   SSLProxyEngine On
   SSLCertificateFile "/etc/webapps/funkwhale/config/funkwhale-server.crt"
   SSLCertificateKeyFile "/etc/webapps/funkwhale/config/funkwhale-server.key"
#   SSLCertificateFile /etc/letsencrypt/live/${funkwhale-sn}/fullchain.pem
#   SSLCertificateKeyFile /etc/letsencrypt/live/${funkwhale-sn}/privkey.pem
#   Include /etc/letsencrypt/options-ssl-apache.conf

   # Tell the api that the client is using https
   RequestHeader set X-Forwarded-Proto "https"
   
   # Additional security headers 
#   Header set Referrer-Policy "strict-origin-when-cross-origin"
#   Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"

   # Configure Proxy settings
   # ProxyPreserveHost pass the original Host header to the backend server
   ProxyVia On
   ProxyPreserveHost On
   <IfModule mod_remoteip.c>
      RemoteIPHeader X-Forwarded-For
   </IfModule>

   # Turning ProxyRequests on and allowing proxying from all may allow
   # spammers to use your proxy to send email.
   ProxyRequests Off

   <Proxy *>
      AddDefaultCharset off
      Order Allow,Deny
      Allow from all
   </Proxy>

   <Location "/">
      # similar to nginx 'client_max_body_size 100M;'
      LimitRequestBody 104857600

#      Header set X-Frame-Options "sameorigin"
#      Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
#      Header set Referrer-Policy "strict-origin-when-cross-origin"
      ProxyPass ${funkwhale-api}/
      ProxyPassReverse ${funkwhale-api}/
   </Location>

   <Location "/federation">
      ProxyPass ${funkwhale-api}/federation
      ProxyPassReverse ${funkwhale-api}/federation
   </Location>

   # You can comment this if you don't plan to use the Subsonic API
   <Location "/rest">
      ProxyPass ${funkwhale-api}/api/subsonic/rest
      ProxyPassReverse ${funkwhale-api}/api/subsonic/rest
   </Location>

   <Location "/.well-known/">
      ProxyPass ${funkwhale-api}/.well-known/
      ProxyPassReverse ${funkwhale-api}/.well-known/
   </Location>

#   <Location "/front/embed.html">
#      Header set X-Frame-Options "allow-from ${funkwhale-sn}"
#   </Location>
#   Alias /front/embed.html ${FUNKWHALE_FRONTEND_PATH}/embed.html

   <Location "/front">
      ProxyPass  "!"
   </Location>
   Alias /front ${FUNKWHALE_FRONTEND_PATH}

   <Location "/media">
      ProxyPass  "!"
   </Location>
   Alias /media ${FUNKWHALE_DATA_PATH}/media

   <Location "/staticfiles">
      ProxyPass  "!"
   </Location>
   Alias /staticfiles ${FUNKWHALE_DATA_PATH}/static

   # Activating WebSockets
   <Location "/api/v1/activity">
	   ProxyPass ${funkwhale-api-ws}/api/v1/activity
   </Location>

   # Setting appropriate access levels to serve frontend
   <Directory ${FUNKWHALE_DATA_PATH}/static>
      Options FollowSymLinks
      AllowOverride None
      Require all granted
   </Directory>

   <Directory ${FUNKWHALE_FRONTEND_PATH}>
      Options FollowSymLinks
      AllowOverride None
      Require all granted
   </Directory>

   <Directory ${FUNKWHALE_DATA_PATH}/media>
      Options FollowSymLinks
      AllowOverride None
      Require all granted
   </Directory>

   # XSendFile is serving audio files
   # WARNING : permissions on paths specified below overrides previous definition,
   # everything under those paths is potentially exposed.
   # Following directive may be needed to ensure xsendfile is loaded
   LoadModule xsendfile_module modules/mod_xsendfile.so
   <IfModule mod_xsendfile.c>
      XSendFile On
      XSendFilePath ${FUNKWHALE_DATA_PATH}/media
      XSendFilePath ${FUNKWHALE_DATA_PATH}/music
      SetEnv MOD_X_SENDFILE_ENABLED 1
   </IfModule>
</VirtualHost>
</IfModule>