# WARNING: uses Apache 2.4 syntax (instead of deprecated Order and Allow directives)

# -- Non-secure redirects --
<VirtualHost *:80>
    ServerName  {{domain}}
    ## ServerAlias ...

    ServerAdmin webmaster@localhost

    # Redirect to secure vhost (Match all paths except for ones that should stay as HTTP)
##     RedirectMatch permanent ^/(?!\.well-known)(.*) https://www.{{domain}}/$1

##     # -- FCGID and PHP user segregation --
##     SuexecUserGroup {{sitename}} {{site}}
##     FcgidWrapper /srv/web/{{sitename}}/libexec/php.fcgi

    # -- Access --
    # (Needed for Let's Encrypt)
    DocumentRoot /srv/web/{{sitename}}/docroot
    <Directory /srv/web/{{sitename}}/docroot>
        Require all granted

        Options FollowSymLinks
        ## ... ExecCGI
        ## ... MultiViews Indexes
        AllowOverride None
        AllowOverrideList RewriteEngine RewriteOptions RewriteBase RewriteCond RewriteRule \
                          php_value php_flag
    </Directory>

    #
    # The following lines prevent files with an extension of .inc from being
    # viewed by Web clients.
    #
    <Files "*.inc">
        Require all denied
    </Files>

    # -- Logging --
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    ## LogLevel warn
    LogLevel notice

    # If using custom logs for this site, don't forget to create
    # /var/log/apache2/{{sitename}}/ and set up log rotation
    ## ErrorLog ${APACHE_LOG_DIR}/{{sitename}}/error.log
    ## CustomLog ${APACHE_LOG_DIR}/{{sitename}}/access.log combined
</VirtualHost>


<IfModule mod_ssl.c>

# Requires Apache v2.4.34+ (e.g. Ubuntu 20.04 LTS "focal")
# https://httpd.apache.org/docs/2.4/mod/core.html#iffile
<IfFile /etc/letsencrypt/live/www.{{domain}}/fullchain.pem>

# Insert secure redirect VirtualHost block for {{domain}} -> www.{{domain}} here


# == Secure ==

<VirtualHost *:443>
    ServerName www.{{domain}}

    ServerAdmin webmaster@localhost

##     # -- FCGID and PHP user segregation --
##     SuexecUserGroup {{sitename}} {{site}}
##     FcgidWrapper /srv/web/{{sitename}}/libexec/php.fcgi

    # -- Access --
    DocumentRoot /srv/web/{{sitename}}/docroot
    <Directory /srv/web/{{sitename}}/docroot>
        Require all granted

        Options FollowSymLinks
        ## ... ExecCGI
        ## ... MultiViews Indexes
        AllowOverride None
        AllowOverrideList RewriteEngine RewriteOptions RewriteBase RewriteCond RewriteRule \
                          php_value php_flag
    </Directory>

    #
    # The following lines prevent files with an extension of .inc from being
    # viewed by Web clients.
    #
    <Files "*.inc">
        Require all denied
    </Files>

    # -- Logging --
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    ## LogLevel warn
    LogLevel notice

    # If using custom logs for this site, don't forget to create
    # /var/log/apache2/{{sitename}}/ and set up log rotation
    ## ErrorLog ${APACHE_LOG_DIR}/{{sitename}}/error.log
    ## CustomLog ${APACHE_LOG_DIR}/{{sitename}}/access.log combined

    # -- SSL --
    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   If both key and certificate are stored in the same file, only the
    #   SSLCertificateFile directive is needed.
    SSLCertificateFile    /etc/letsencrypt/live/www.{{domain}}/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.{{domain}}/privkey.pem

    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convinience.
    ## SSLCertificateChainFile /etc/ssl/certs/{{intermediate}}.crt
</VirtualHost>

</IfFile>

</IfModule>


# vim: set filetype=apache tabstop=4 shiftwidth=4 :
# Local Variables:
# tab-width: 4
# end: