# These modules are required for the basic configuration directives used in this file.
# They *must* be loaded to use this configuration with httpd.
LoadModule	alias_module		/usr/lib/apache2/modules/mod_alias.so
LoadModule	allowmethods_module	/usr/lib/apache2/modules/mod_allowmethods.so
LoadModule	authz_host_module	/usr/lib/apache2/modules/mod_authz_host.so
LoadModule	dir_module		/usr/lib/apache2/modules/mod_dir.so
LoadModule	env_module		/usr/lib/apache2/modules/mod_env.so
#LoadModule	log_config_module	/usr/lib/apache2/mod_log_config.so
LoadModule	mime_module		/usr/lib/apache2/modules/mod_mime.so
LoadModule	mime_magic_module	/usr/lib/apache2/modules/mod_mime_magic.so
LoadModule	mpm_event_module	/usr/lib/apache2/modules/mod_mpm_event.so
LoadModule	setenvif_module		/usr/lib/apache2/modules/mod_setenvif.so
#LoadModule	unixd_module		/usr/lib/apache2/mod_unixd.so

# Load extra modules.
IncludeOptional	/etc/apache2/mods-enabled/*.load


# IP addresses and ports to listen on.
Listen				5.101.171.215:80
Listen				[2a01:a500:2981:1::d7]:80
<IfModule ssl_module>
  Listen			5.101.171.215:25443
  Listen			[2a01:a500:2981:1::d7]:25443
</IfModule>


# Main server configuration.
# Note: A DocumentRoot (and a Directory block granting access) is required in order for RedirectMatch to work in VirtualHosts.
DocumentRoot			/var/www/html
ServerAdmin			"sysadmin(at)slackware.uk"
ServerName			core.slackware.uk.net
ServerSignature			Email
ServerTokens			Major
User				www-data
Group				www-data
DefaultRuntimeDir		/var/run/apache2
PidFile				/var/run/apache2/apache2.pid
ScriptSock			/var/run/apache2/cgid.sock
Mutex				pthread


# Logging.
LogFormat	"%h %l %u %t \"%r\" %>s %b"						Common
LogFormat	"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""		Combined
LogFormat	"%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""	VHostCombined
CustomLog	"|/usr/bin/logger -p local1.info -t httpd"				VHostCombined		env=!no_log
LogLevel	warn allowmethods:crit authz_core:crit
<IfModule include_module>
  LogLevel	include:crit
</IfModule>
<IfModule ssl_module>
  LogLevel	ssl:crit
</IfModule>
ErrorLog	syslog:local0


# Resource limits for event MPM.
#  MaxConnectionsPerChild: maximum number of requests a server process serves
#  MaxRequestWorkers: maximum number of worker threads
#  MaxSpareThreads: maximum number of worker threads which are kept spare
#  MinSpareThreads: minimum number of worker threads which are kept spare
#  StartServers: initial number of server processes to start
#  ThreadLimit: maximum limit of threads for ThreadsPerChild setting
#  ThreadsPerChild: constant number of worker threads in each server process
MaxConnectionsPerChild		10240
MaxRequestWorkers		128
MaxSpareThreads			16
MinSpareThreads			2
StartServers			1
ThreadLimit			64
ThreadsPerChild			32


# Timeouts.
TimeOut				30
GracefulShutDownTimeout		1


# Browser handling.
BrowserMatch			"^Dreamweaver-WebDAV-SCM1"				redirect-carefully
BrowserMatch			"Java/1\.0"						force-response-1.0
BrowserMatch			"JDK/1\.0"						force-response-1.0
BrowserMatch			"Microsoft Data Access Internet Publishing Provider"	redirect-carefully
BrowserMatch			"Mozilla/2"						nokeepalive
BrowserMatch			"MS FrontPage"						redirect-carefully
BrowserMatch			"MSIE [2-5]"						nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch			"RealPlayer 4\.0"					force-response-1.0
BrowserMatch			"^WebDAVFS/1\.[012]"					redirect-carefully
BrowserMatch			"^WebDrive"						redirect-carefully
BrowserMatch			"^XML Spy"						redirect-carefully
BrowserMatch			"^gnome-vfs/1\.0"					redirect-carefully
BrowserMatch			"^gvfs/1"						redirect-carefully
BrowserMatch			"Konqueror/4"						redirect-carefully


# HTTP2.
<IfModule http2_module>
  Protocols			h2 h2c http/1.1
  H2Push			On
  H2PushPriority		application/javascript		interleaved
  H2PushPriority		image/jpeg			after		32
  H2PushPriority		image/png			after		32
  H2PushPriority		text/css			before
  H2PushPriority		*				after
</IfModule>


# SSL configuration.
<IfModule ssl_module>
  SSLCipherSuite		HIGH:!SSLv3:!TLS1:!aNULL:!MD5
  SSLHonorCipherOrder		On
  SSLOptions			+FakeBasicAuth
  SSLProtocol			all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLRandomSeed			startup		builtin
  SSLRandomSeed			startup		file:/dev/urandom	512
  SSLRandomSeed			connect		builtin
  SSLRandomSeed			connect		file:/dev/urandom	512
  SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_session_cache(512000)
  SSLSessionCacheTimeout	300
  SSLSessionTickets		Off
  BrowserMatch			"MSIE [2-5]"	ssl-unclean-shutdown
</IfModule>


# PHP.
<IfModule proxy_fcgi_module>
  DirectoryIndex	index.php index.phtml

  <If "-f %{REQUEST_FILENAME} && %{REQUEST_URI} =~ /.+\.ph(ar|p|tml)$/">
    SetHandler		proxy:unix:/run/php-fpm83/php-fpm.sock|fcgi://localhost/
  </If>
</IfModule>


# Filters and Handlers.
<IfModule filter_module>
  <IfModule deflate_module>
    AddOutputFilterByType	DEFLATE		text/html text/plain text/xml text/css text/javascript
    AddOutputFilterByType	DEFLATE		application/x-javascript application/javascript application/ecmascript
    AddOutputFilterByType	DEFLATE		application/rss+xml
    AddOutputFilterByType	DEFLATE		application/wasm
    AddOutputFilterByType	DEFLATE		application/xml
  </IfModule>
  <IfModule include_module>
    AddOutputFilter		INCLUDES	.shtml .html
  </IfModule>
</IfModule>
#This isn't needed except where CGI scripts are placed outside of ScriptAlias dirs.  ExecCGI is required in Options for the dir.
#<IfModule cgid_module>
#  AddHandler			cgi-script	.cgi .pl .py .sh
#</IfModule>


# Mime type mappings.
TypesConfig	/etc/mime.types
AddEncoding	x-compress				.tz .z .Z
AddEncoding	x-gzip					.gz .tgz
AddEncoding	x-bzip2					.bz2 .tbz
AddType		application/octet-stream		.deb .dpkg .flac .flp .img .lz .lzma .mkv .rpm .run .srpm .tlz .txz .vob .xz
AddType		application/pkcs8			.key
AddType		application/pkcs10			.csr
AddType		application/pkix-crl			.crl
AddType		application/x-pem-file			.pem
AddType		application/x-x509-user-cert		.crt
AddType		text/html				.shtml
AddType		text/markdown				.md
AddType		text/plain				.csh .diff .ksh .md5 .md5sum .meta .patch .pl .pm .py .rb .sh .sha .shasum .sha1 .sha1sum .sha256 .sha256sum .sha512 .sha512sum .slackbuild .tcl .url
MIMEMagicFile	/etc/apache2/magic


# Lets Encrypt validation.
Alias		/.well-known/acme-challenge/		/srv/dehydrated/


# Access control.
<FilesMatch ^\.(ht.*|ph(?:ar|p|ps|tml))$>
  Require		all denied
</FilesMatch>

<Directory />
  Options		SymLinksIfOwnerMatch
  AllowOverride		None
  Require		all denied
</Directory>

<Directory /var/empty/>
  Options		None
  AllowOverride		None
  Require		all granted
</Directory>

<Directory /srv/dehydrated/>
  Options		None
  AllowOverride		None
  Require		all granted
</Directory>

<Directory /data/sites/*/html/>
  Options		Includes MultiViews SymLinksIfOwnerMatch
  AllowOverride		AuthConfig FileInfo Indexes Limit

  Require		all granted

  AllowMethods		GET POST OPTIONS

  DirectoryIndex	index.html index.xhtml
  <IfModule include_module>
    DirectoryIndex	index.shtml
  </IfModule>

  <IfModule ssl_module>
    <FilesMatch "\.(shtml|php)$">
      SSLOptions	+StdEnvVars
    </FilesMatch>
  </IfModule>
</Directory>

<IfModule cgid_module>
  <Directory /data/sites/*/cgi-bin/>
    Options		ExecCGI Includes MultiViews SymLinksIfOwnerMatch
    AllowOverride	AuthConfig FileInfo Limit

    Require		all granted

    AllowMethods	GET POST OPTIONS

    DirectoryIndex	disabled

    <IfModule ssl_module>
      SSLOptions	+StdEnvVars
    </IfModule>
  </Directory>
</IfModule>


# Include extra configurations.
IncludeOptional		/etc/apache2/sites-enabled/*.conf