<IfModule !version_module>
    LoadModule version_module modules/mod_version.so
</IfModule>

{

use esmith::AccountsDB;
my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n";

if ( $port ne ($modSSL{'TCPPort'} || '443')){
    $OUT .=<<"EOF";

    #====================================================================
    # HTTPS redirection for LemonLDAP::NG Portal
    #====================================================================

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]

EOF
    }
else{
    my $soapAllow = join (" ", split(/[;,]/, ($lemonldap{'SoapAllowFrom'} || '')));
    $soapAllow = ( $soapAllow eq '' ) ? '' : "Allow from $soapAllow\n        ";
    my $soapPassword = $lemonldap{'SoapPassword'} || '';
    $soapAllow .=  ($soapPassword eq '') ? '' :
        'AuthName "LemonLDAP SOAP interface"' . "\n        " .
        'AuthType Basic' . "\n        " .
        'AuthBasicProvider file' . "\n        " .
        'AuthUserFile /etc/lemonldap-ng/soap-htpasswd' . "\n        " .
        'Require valid-user' . "\n        " .
        'Satisfy all';

    $OUT .=<<"EOF";

    SSLEngine On

    #====================================================================
    # Apache configuration for LemonLDAP::NG Portal
    #====================================================================

    # DocumentRoot
    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/ 

    <Perl>
        require Lemonldap::NG::Portal::SharedConf;
        Lemonldap::NG::Portal::SharedConf->compile(
            qw(delete header cache read_from_client cookie redirect unescapeHTML));
        # Uncomment this line if you use portal SOAP capabilities
        require SOAP::Lite;
    </Perl>

    <Directory /usr/share/lemonldap-ng/portal/htdocs/>
        Require all granted
        Options +ExecCGI +FollowSymlinks
    </Directory>

    # rewrite for refresh and few other actions
    <IfModule mod_rewrite.c>
        #RewriteEngine On
        #RewriteCond %{REQUEST_FILENAME} !-f
        #RewriteCond %{REQUEST_FILENAME} !-d
        #RewriteRule ^/(.*)\$ /index.fcgi/\$1 [PT,L]
    </IfModule>

   <IfModule mod_rewrite.c>
        RewriteEngine On
        # For performances, you can put static html files: simply put the HTML
        # result (example: /oauth2/checksession.html) as static file. Then
        # uncomment the following line.
        # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?\$"
        RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)\$"
        RewriteRule "^/(.+)\$" "/index.fcgi/\$1" [PT]
    </IfModule>

    # Note that Content-Security-Policy header is generated by portal itself
    <Files *.fcgi>
        SetHandler fcgid-script

        # Authorization header needs to be passed when using Kerberos or OIDC
        <IfVersion >= 2.4.13>
            CGIPassAuth On
        </IfVersion>
        <IfVersion < 2.4.13>
            RewriteCond %{HTTP:Authorization} ^(.*)
            RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
        </IfVersion>

        Options +ExecCGI
        header unset Lm-Remote-User
    </Files>

    <IfModule mod_dir.c>
        DirectoryIndex index.fcgi index.html
    </IfModule>

    # SOAP functions for sessions management (disabled by default)
    <Location /index.fcgi/adminSessions>
        Require all denied
        $soapAllow
    </Location>

    # SOAP functions for sessions access (disabled by default)
    <Location /index.fcgi/sessions>
        Require all denied
        $soapAllow
    </Location>

    # SOAP functions for configuration access (disabled by default)
    <Location /index.fcgi/config>
        Require all denied
        $soapAllow
    </Location>

    # SOAP functions for notification insertion (disabled by default)
    <Location /index.fcgi/notification>
        Require all denied
        $soapAllow
    </Location>

    <Location />
        <IfModule mod_deflate.c>
                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
                SetOutputFilter DEFLATE
                BrowserMatch ^Mozilla/4 gzip-only-text/html
                BrowserMatch ^Mozilla/4\.0[678] no-gzip
                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
        </IfModule>
        <IfModule mod_headers.c>
                Header append Vary User-Agent env=!dont-vary
        </IfModule>
    </Location>
    <Location /skins/>
        <IfModule mod_expires.c>
                ExpiresActive On
                ExpiresDefault "access plus 1 month"
        </IfModule>
    </Location>

EOF
    }
}


