# @package      hubzero-apache2
# @file	        hub-ssl
# @author       Nicholas J. Kisseberth <nkissebe@purdue.edu>
# @copyright    Copyright (c) 2005-2011 Purdue University. All rights reserved.
# @license      http://www.gnu.org/licenses/lgpl-3.0.html LGPLv3
#
# Copyright (c) 2005-2011 Purdue University
# All rights reserved.
#
# This file is part of: The HUBzero(R) Platform for Scientific Collaboration
#
# The HUBzero(R) Platform for Scientific Collaboration (HUBzero) is free
# software: you can redistribute it and/or modify it under the terms of
# the GNU Lesser General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any
# later version.
#
# HUBzero is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# HUBzero is a registered trademark of Purdue University.
#

#
# Basic HUBzero Website Definition

<VirtualHost *:443>
	RewriteEngine	on
	#RewriteMap      xlate           prg:/usr/lib/hubzero/bin/filexfer-xlate

	# If you want to enable Canonical Hostname redirects you must replace
	# SITE_FQDN with the Canonical Hostname for your site and uncomment
	# the next 4 commented out line:

	#ServerName SITE_FQDN
	#RewriteCond %{HTTP_HOST} !^SITE_FQDN$ [NC]
	#RewriteCond %{HTTP_HOST} !^$
	#RewriteRule ^/(.*) https://SITE_FQDN/$1 [L,R]

	RewriteRule ^(.*/)?(\.svn|\.git|\.hg)/ - [R=404,L]

	ServerSignature Off
	DocumentRoot /var/www

	<Directory />
		Order Deny,Allow
		Deny from all
		Options None
		AllowOverride None
	</Directory>

	<Directory /var/www>
		RewriteEngine On
		Order Allow,Deny
		Allow from all
		Options FollowSymLinks
		AllowOverride None
		DirectoryIndex index.php index.html

		#RewriteRule     ^filexfer/(.*)          ${xlate:$1|nothing} [P,QSA,L]
		RewriteCond %{REQUEST_FILENAME} !-f
		RewriteCond %{REQUEST_FILENAME} !-d
		RewriteCond %{REQUEST_URI} !^/tools/[^/]+/svn($|/)
		RewriteCond %{REQUEST_URI} !^/tools/[^/]+/(admin|prefs|chrome|log|login|wiki|timeline|roadmap|timeline|browser|ticket|newticket|search|about|diff|changeset|logout|settings|raw-attachment|attachment|export)($|/)
		RewriteRule (.*) index.php
	</Directory>

	<Directory /var/www/site/protected>
		Order Deny,Allow
		Deny from All
		Options None
		AllowOverride None
	</Directory>

	<LocationMatch /tools/[^/]+((/($|admin|prefs|chrome|log|login|wiki|timeline|roadmap|timeline|browser|ticket|newticket|search|about|diff|changeset|logout|settings|raw-attachment|attachment|export)($|/)))>
		SetHandler mod_python
		PythonInterpreter main_interpreter
		PythonHandler trac.web.modpython_frontend
		PythonOption TracUriRoot /tools
		PythonOption TracEnvParentDir "/opt/trac/tools"
	</LocationMatch>
	<LocationMatch /tools/[^/]+/login>
		AuthType Basic
		AuthName "myhub"
		AuthBasicProvider ldap
		AuthzLDAPAuthoritative off
		AuthLDAPURL ldap://localhost/ou=users,dc=myhub,dc=org?uid?sub?(gid=*)
		Require valid-user
	</LocationMatch>

	Include /etc/apache2/svn.con[f]

	Alias /webdav /webdav
	RewriteMap lc int:tolower
	RewriteRule ^/webdav(/.*) /webdav/home/${lc:%{LA-U:REMOTE_USER}}$1 [L]
	<Directory /webdav>
		DirectoryIndex .None.file.not.exists
		IndexOptions FancyIndexing SuppressDescription
		Order Allow,Deny
		Allow from all
		Options FollowSymLinks Indexes
		AllowOverride None
		DAV On
		AuthType Basic
		AuthName "WebDAV Server"
		AuthBasicProvider ldap
		AuthzLDAPAuthoritative off
		AuthLDAPURL ldap://localhost/ou=users,dc=myhub,dc=org?uid
		Require valid-user
		AddType text/plain .php .phtml .pht .phps .php3 .php3p .php4
		<FilesMatch ".+">
		        SetHandler default-handler
		</FilesMatch>
	</Directory>

	LogLevel warn
	LogFormat "%{%Y-%m-%d %H:%M:%S %Z}t %P %u \"%r\" %>s %B %a \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %T %D %{userid}n %{jsession}n %{site}C %{auth}n %{component}n %{view}n %{task}n %{action}n %{item}n" hublog
	ErrorLog /var/log/apache2/hub-error-ssl.log
	CustomLog /var/log/apache2/hub-access.log hublog

	#vncProxy On
	#vncProxyAllowedSSLPorts 4900
	#vncProxyAllowedPorts 4900 5900
	#vncProxyLog /var/log/hubzero/vncproxy2.log
	#vncProxyLogLevel warn
	#vncProxyDBDriver mysql
	#vncProxyDBDParams host=localhost,user=XXXXX,pass=XXXXX,dbname=XXXXX
	#vncProxyHelper "/usr/lib/hubzero/bin/vncproxy2-helper --token=%t --remoteip=%r --loglevel=%g --logfile=%l"

	SSLEngine On
	SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+EXP:SSLv3:!DES:!NULL:!RC2:!RC4
	SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

	# Compensation for MSIE client flaws
	SetEnvIf User-Agent ".*MSIE [1-5].*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
	SetEnvIf User-Agent ".*MSIE [6-9].*" ssl-unclean-shutdown
	<Limit POST>
		SetEnvIf User-Agent ".*MSIE [6-9].*" nokeepalive ssl-unclean-shutdown
	</Limit>
</VirtualHost>
