# Apache VirtualHost config for Cathode
# Drop in /etc/apache2/sites-available/cathode.conf
# Enable with: sudo a2ensite cathode
#
# Required modules:
#   sudo a2enmod ssl proxy proxy_http proxy_wstunnel rewrite headers
#
# For TLS certs use certbot:
#   sudo certbot --apache -d cathode.example.com

# HTTP → HTTPS redirect
<VirtualHost *:80>
    ServerName cathode.example.com
    Redirect permanent / https://cathode.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName cathode.example.com

    # TLS (certbot will fill these in, or provide your own)
    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/cathode.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cathode.example.com/privkey.pem

    # Modern TLS
    SSLProtocol           -all +TLSv1.2 +TLSv1.3
    SSLHonorCipherOrder   off

    # Serve Cathode static files
    DocumentRoot /var/www/cathode
    <Directory /var/www/cathode>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    # Proxy WeeChat relay API — REST and WebSocket
    # WeeChat listens on localhost:9000 — adjust if needed

    # Enable proxy for this vhost
    ProxyRequests off

    # WebSocket proxy: must come before the plain HTTP proxy rule
    # Apache uses mod_proxy_wstunnel for WebSocket upgrades
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule ^/api(.*)       ws://localhost:9000/api$1 [P,L]

    # Plain HTTP proxy for REST requests to /api
    ProxyPass        /api http://localhost:9000/api
    ProxyPassReverse /api http://localhost:9000/api

    # Pass real client IP
    ProxyPreserveHost on
    RequestHeader set X-Real-IP "%{REMOTE_ADDR}s"

    # Timeouts for long-lived WebSocket connections
    ProxyTimeout 3600

    # Security headers
    Header always set X-Content-Type-Options  "nosniff"
    Header always set X-Frame-Options         "DENY"
    Header always set Referrer-Policy         "strict-origin-when-cross-origin"

    # Logging
    ErrorLog  ${APACHE_LOG_DIR}/cathode_error.log
    CustomLog ${APACHE_LOG_DIR}/cathode_access.log combined
</VirtualHost>


# ── Local / LAN setup (no domain, plain HTTP) ────────────────────────────────
# If you're on a LAN without a domain, use this simpler block.
# Cathode connect screen: uncheck TLS, use ws:// (port 8080 here).
#
# <VirtualHost *:8080>
#     DocumentRoot /var/www/cathode
#     <Directory /var/www/cathode>
#         Options -Indexes
#         Require all granted
#     </Directory>
#
#     ProxyRequests off
#     RewriteEngine on
#     RewriteCond %{HTTP:Upgrade} =websocket [NC]
#     RewriteRule ^/api(.*)  ws://localhost:9000/api$1 [P,L]
#     ProxyPass        /api http://localhost:9000/api
#     ProxyPassReverse /api http://localhost:9000/api
#     ProxyTimeout 3600
# </VirtualHost>