<VirtualHost *:80>
  Use BASIC_SITE pablotron.org www-admin@pablotron.org
  Use BASIC_LOGS pablotron.org
  Use STRIP_WWW https://pablotron.org
  Use MOD_DEFLATE

  # unconditionally rewrite to https://pablotron.org
  RewriteEngine On
  RewriteRule ^/(.*)$ https://pablotron.org/$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
  Use BASIC_SITE pablotron.org www-admin@pablotron.org
  Use BASIC_LOGS pablotron.org
  Use STRIP_WWW https://pablotron.org
  Use MOD_DEFLATE

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/pablotron.org/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/pablotron.org/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/pablotron.org/fullchain.pem

  # redirect old rss feed to new one
  RewriteCond %{QUERY_STRING} theme=rss
  RewriteCond %{REQUEST_URI} ^/$
  RewriteRule (.*) /index.xml [R=301,L]

  # enable http2 (added 2022-01-29)
  Protocols h2 http/1.1

  # set security headers
  # (added on 2021-10-17)
  #
  # refs:
  # - https://web.dev/security-headers/#xfo
  # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
  # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
  # - https://scotthelme.co.uk/a-new-security-header-referrer-policy/
  # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
  #
  # permissions-policy docs (seems poorly thought out):
  # * https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
  # * feature list (for old feature-policy header, but a good reference): https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/platform/feature_policy/feature_policy.cc;drc=ab90b51c5b60de15054a32b0bd18e4839536a1c9;l=138
  # https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md 
  #
  Header append "Strict-Transport-Security" "max-age=31536000"
  Header append "X-Frame-Options" "SAMEORIGIN"
  Header append "X-Content-Type-Options" "nosniff"
  Header append "Cross-Origin-Opener-Policy" "same-origin"
  Header append "Cross-Origin-Resource-Policy" "same-origin"
  Header append "Access-Control-Allow-Origin" "https://pablotron.org"
  Header append "Referrer-Policy" "strict-origin-when-cross-origin"

  # not sure about these yet
  Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()"

  # POST needed for /hooks
  Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"

  # 'unsafe-inline' is needed for goldmark table cell alignment
  # Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'"
  # removed all tables w/ alignment, so i nuked unsafe-inline (2021-10-21)
  Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"

  # cache images, stylesheets, and javascript for 1 year
  # (added 2022-01-29, i may regret this...)
  <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$">
    Header set Cache-Control "max-age=31536000, public"
  </FilesMatch>

  <Location /hooks/>
    ProxyPass "http://localhost:9000/"
    ProxyPassReverse "http://localhost:9000/"
  </Location>
</VirtualHost>