<IfModule !version_module>
    LoadModule version_module modules/mod_version.so
</IfModule>
{

use esmith::AccountsDB;
my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n";

if ( $port ne ($modSSL{'TCPPort'} || '443')){
    $OUT .=<<"EOF";

    #====================================================================
    # HTTPS redirection for LemonLDAP::NG Portal
    #====================================================================

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]

EOF
    }
else{

    # SSL Authentication
    my $SSLAuth = $lemonldap{'SSLAuth'} || 'disabled';
    my $sslDirectives = '    # SSL Auth is disabled';
    my $sogoWorkArround = '';
    if ((-e '/etc/pki/tls/certs/cacert.pem') &&
        ($SSLAuth =~ m/^(require)|(optional)$/)) {
        $sslDirectives =<<"HERE";
    <LocationMatch "^/(\$|\\?url=.*|cas/login.*)">
        SSLVerifyClient $SSLAuth
        SSLVerifyDepth 1
        SSLOptions +StdEnvVars
        SSLUserName SSL_CLIENT_S_DN_CN
    </LocationMatch>
HERE
    }
    if (-e '/usr/lib/perl5/site_perl/Apache/FilterChangeLength.pm' ||
        -e '/usr/share/perl5/vendor_perl/Apache/FilterChangeLength.pm'){
        # Looks like iPasserelle groupware is installed
        # SOPE doesn't supports chunked encoding
        # the following makes it happy
        # see http://sogo.nu/bugs/view.php?id=2408
        $sogoWorkArround =<<"HERE";
    <Location /cas>
        BrowserMatch "SOPE/" downgrade-1.0
        PerlOutputFilterHandler Apache::FilterChangeLength
        Header set Access-Control-Allow-Origin '*'
    </Location>
HERE
    }
 
    $OUT .=<<"EOF";

    SSLEngine On

    #====================================================================
    # Apache configuration for LemonLDAP::NG Portal
    #====================================================================

    # DocumentRoot
    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/

    <Directory /usr/share/lemonldap-ng/portal/htdocs/>
        Require all granted
        AllowOverride All
        Options +ExecCGI +FollowSymLinks
    </Directory>
$sslDirectives
$sogoWorkArround

    # rewrite for refresh and few other actions
    <IfModule mod_rewrite.c>
        #RewriteEngine On
        #RewriteCond %{REQUEST_FILENAME} !-f
        #RewriteCond %{REQUEST_FILENAME} !-d
        #RewriteRule ^/(.*)\$ /index.fcgi/\$1 [PT,L]
    </IfModule>
 
   <IfModule mod_rewrite.c>
        RewriteEngine On
				# For performances, you can put static html files: simply put the HTML
				# result (example: /oauth2/checksession.html) as static file. Then
				# uncomment the following line.
				# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?\$"
				RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)\$"
				RewriteRule "^/(.+)\$" "/index.fcgi/\$1" [PT]
    </IfModule>

    # Note that Content-Security-Policy header is generated by portal itself
    <Files *.fcgi>
        SetHandler fcgid-script

        # Authorization header needs to be passed when using Kerberos or OIDC
        <IfVersion >= 2.4.13>
            CGIPassAuth On
        </IfVersion>
        <IfVersion < 2.4.13>
            RewriteCond %{HTTP:Authorization} ^(.*)
            RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
        </IfVersion>

        Options +ExecCGI
        header unset Lm-Remote-User
    </Files>

    # Static files
    Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
    <Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
        Require all granted
        Options +FollowSymLinks
    </Directory>
    <Location /static/>
        <IfModule mod_expires.c>
            ExpiresActive On
            ExpiresDefault "access plus 1 month"
        </IfModule>
    </Location>

    <IfModule mod_dir.c>
        DirectoryIndex index.fcgi index.html
    </IfModule>

    # REST/SOAP functions for sessions management (disabled by default)
    <Location /index.fcgi/adminSessions>
        Require all denied
    </Location>

    # REST/SOAP functions for proxy auth and password reset (disabled by default)
    <Location /index.fcgi/proxy>
        Require all denied
    </Location>

    # REST/SOAP functions for sessions access (disabled by default)
    <Location /index.fcgi/sessions>
        Require all denied
    </Location>

    # REST/SOAP functions for configuration access (disabled by default)
    <Location /index.fcgi/config>
        Require all denied
    </Location>

    # REST/SOAP functions for notification insertion (disabled by default)
    <Location /index.fcgi/notification>
        Require all denied
    </Location>

#begin old code 
    # SAML2 Issuer
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/saml/metadata /index.fcgi
        RewriteRule ^/saml/.* /index.fcgi
    </IfModule>

    # CAS Issuer
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/cas/.* /index.fcgi
    </IfModule>

    # OpenID Issuer
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/openidserver/.* /index.fcgi
    </IfModule>
#end old code

    # Enable compression
    <Location />
        <IfModule mod_deflate.c>
                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
                SetOutputFilter DEFLATE
                BrowserMatch ^Mozilla/4 gzip-only-text/html
                BrowserMatch ^Mozilla/4\.0[678] no-gzip
                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
        </IfModule>
        <IfModule mod_headers.c>
                Header append Vary User-Agent env=!dont-vary
        </IfModule>
    </Location>
    <Location /skins/>
        <IfModule mod_expires.c>
                ExpiresActive On
                ExpiresDefault "access plus 1 month"
        </IfModule>
    </Location>

EOF
    }
}


