# DO NOT EDIT - This file is being maintained by Chef

<VirtualHost *:80>
  ServerName <%= @name %>
<% @aliases.each do |alias_name| -%>
  ServerAlias <%= alias_name %>
<% end -%>

  ServerAdmin webmaster@openstreetmap.org

  CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended
  ErrorLog /var/log/apache2/<%= @name %>-error.log

  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
  RedirectPermanent / https://<%= @name %>/
</VirtualHost>
<% unless @aliases.empty? -%>

<VirtualHost *:443>
  ServerName <%= @aliases.first %>
<% @aliases.drop(1).each do |alias_name| -%>
  ServerAlias <%= alias_name %>
<% end -%>

  ServerAdmin webmaster@openstreetmap.org

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key

  CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended
  ErrorLog /var/log/apache2/<%= @name %>-error.log

  RedirectPermanent / https://<%= @name %>/
</VirtualHost>
<% end -%>

<VirtualHost *:443>
  ServerName <%= @name %>

  ServerAdmin webmaster@openstreetmap.org

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key

  CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended
  ErrorLog /var/log/apache2/<%= @name %>-error.log

  DocumentRoot <%= @directory %>
<% @urls.each do |url,directory| -%>
  Alias <%= url %> <%= directory %>
  <Directory <%= directory %>>
    AllowOverride None
    Require all granted
    <FilesMatch ".+\.ph(ar|p|tml)$">
      SetHandler None
    </FilesMatch>
  </Directory>
<% end -%>

  <Directory <%= @directory %>>
    RewriteEngine on

    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    RewriteRule ^readme\.html$ [F,L]
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    Options -Indexes
    AllowOverride AuthConfig

    Require all granted

    # https://www.wp-pay.org/http-authorization-header-missing/
    CGIPassAuth on

    <FilesMatch ".+\.ph(ar|p|tml)$">
      SetHandler "proxy:unix:/run/php/php-<%= @name %>-fpm.sock|fcgi://127.0.0.1"
    </FilesMatch>
  </Directory>

  <Files <%= @directory %>/wp-config.php>
    Require all denied
  </Files>

  <Directory <%= @directory %>/uploads>
    AllowOverride None
    AddType text/plain .html .htm .shtml
    <FilesMatch ".+\.ph(ar|p|tml)$">
      SetHandler None
    </FilesMatch>
  </Directory>

  <Directory ~ "\.svn">
    Require all denied
  </Directory>

  <Directory ~ "\.git">
    Require all denied
  </Directory>

  <Files ~ "(?<!robots|ads|security|humans)\.(txt|md)$">
    Require all denied
  </Files>

  <Files ~ "~$">
    Require all denied
  </Files>

  <Files "xmlrpc.php">
    Require all denied
  </Files>
</VirtualHost>