# ============================================================
#  Apache — VirtualHost production pour Univers Group
#  Pour hébergement mutualisé (cPanel, o2switch...) ou VPS Apache
#
#  Sur VPS Ubuntu :
#    sudo cp apache.conf /etc/apache2/sites-available/univers-group.sn.conf
#    sudo a2enmod rewrite headers ssl expires deflate
#    sudo a2ensite univers-group.sn
#    sudo systemctl reload apache2
# ============================================================

# Redirection HTTP → HTTPS
<VirtualHost *:80>
    ServerName  univers-group.sn
    ServerAlias www.univers-group.sn

    # Let's Encrypt challenge
    Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/

    RewriteEngine On
    RewriteCond   %{HTTPS} off
    RewriteRule   ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

# Serveur principal HTTPS
<VirtualHost *:443>
    ServerName  univers-group.sn
    ServerAlias www.univers-group.sn
    DocumentRoot /var/www/univers-group/public

    # ── SSL (Certbot / Let's Encrypt) ───────────────────────
    SSLEngine             on
    SSLCertificateFile    /etc/letsencrypt/live/univers-group.sn/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/univers-group.sn/privkey.pem
    SSLProtocol           all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite        HIGH:!aNULL:!MD5
    SSLHonorCipherOrder   off

    # ── Logs ────────────────────────────────────────────────
    ErrorLog  /var/log/apache2/univers-group.error.log
    CustomLog /var/log/apache2/univers-group.access.log combined

    # ── Taille maximale des uploads ──────────────────────────
    LimitRequestBody 52428800

    # ── En-têtes de sécurité ────────────────────────────────
    Header always set X-Frame-Options        "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection       "1; mode=block"
    Header always set Referrer-Policy        "strict-origin-when-cross-origin"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    ServerTokens Prod

    # ── Bloquer dossier install ──────────────────────────────
    <Directory "/var/www/univers-group/public/install">
        Require all denied
    </Directory>

    # ── Répertoire public Laravel ────────────────────────────
    <Directory "/var/www/univers-group/public">
        Options -Indexes -MultiViews +FollowSymLinks
        AllowOverride All
        Require all granted

        # Cache assets Vite (hash dans le nom de fichier)
        <FilesMatch "\.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?|ttf|otf|webp|avif)$">
            ExpiresActive On
            ExpiresDefault "access plus 1 year"
            Header append Cache-Control "public, immutable"
        </FilesMatch>
    </Directory>

    # ── Compression Gzip ────────────────────────────────────
    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE \
            application/javascript \
            application/json \
            text/css \
            text/html \
            text/plain \
            text/xml \
            image/svg+xml
    </IfModule>

    # ── PHP-FPM (si installé) ────────────────────────────────
    # Décommentez si vous utilisez PHP-FPM via Apache :
    # <FilesMatch \.php$>
    #     SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost"
    # </FilesMatch>
</VirtualHost>