# Apache httpd config for vpn-user-portal

Define VPN_APP_ROOT /vpn-user-portal
SetEnv VPN_APP_ROOT ${VPN_APP_ROOT}

# fancy URLs for the OAuth/API calls
Alias ${VPN_APP_ROOT}/oauth/authorize /var/www/vpn-user-portal/web/index.php
Alias ${VPN_APP_ROOT}/oauth/token     /var/www/vpn-user-portal/web/oauth.php
Alias ${VPN_APP_ROOT}/api             /var/www/vpn-user-portal/web/api.php

Alias ${VPN_APP_ROOT} /var/www/vpn-user-portal/web
Alias /.well-known/vpn-user-portal /var/www/vpn-user-portal/web/well-known.php

<Directory /var/www/vpn-user-portal/web>
    Require all granted
    #Require local

    RewriteEngine on
    RewriteBase ${VPN_APP_ROOT}
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L,QSA]

    <Files index.php>
        # Security Headers
        Header always set Content-Security-Policy "default-src 'self'"
        Header always set X-Frame-Options "DENY"
        Header always set X-Content-Type-Options "nosniff"
        Header always set X-XSS-Protection "1; mode=block"
        Header always set Referrer-Policy "same-origin"
    </Files>

    <Files node-api.php>
        <RequireAny>
            Require local
            # When using separate VPN node(s) running (vpn-server-node),
            # add the IP address(es) of the node(s) here
            #Require ip 192.0.2.0/24
            #Require ip 2001:db::/32
        </RequireAny>
    </Files>
</Directory>