# /etc/apache2/sites-available/rosa.agence-novelia.fr.conf
#
# Cloudflare en mode Full / Full (strict) : connexion CF → origine en HTTPS.
# L'origine doit donc presenter un certificat TLS.
# Recommande : Cloudflare Origin Certificate (gratuit, 15 ans).
#   Dashboard Cloudflare → SSL/TLS → Origin Server → Create Certificate
#   → telecharger le .pem (cert) et la .key
#   → deposer sur le VPS dans /etc/ssl/cloudflare/
#
# Pre-requis modules Apache :
#   sudo a2enmod proxy proxy_http headers remoteip ssl rewrite
#   sudo systemctl reload apache2

# -----------------------------------------------------------------------------
# Port 80 — redirige tout vers HTTPS (au cas ou un visiteur arrive en HTTP
# directement sur le VPS, ou si CF baisse temporairement en Flexible)
# -----------------------------------------------------------------------------
<VirtualHost *:80>
    ServerName rosa.agence-novelia.fr

    RewriteEngine On
    RewriteRule ^/?(.*)$ https://rosa.agence-novelia.fr/$1 [R=301,L]

    ErrorLog  ${APACHE_LOG_DIR}/rosa-error.log
    CustomLog ${APACHE_LOG_DIR}/rosa-access.log combined
</VirtualHost>

# -----------------------------------------------------------------------------
# Port 443 — vhost principal, reverse proxy vers le container Docker
# -----------------------------------------------------------------------------
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName rosa.agence-novelia.fr

    # --- Logs dedies ---
    ErrorLog  ${APACHE_LOG_DIR}/rosa-error.log
    CustomLog ${APACHE_LOG_DIR}/rosa-access.log combined

    # --- TLS (Cloudflare Origin Certificate) ---
    SSLEngine on
    SSLCertificateFile      /etc/ssl/cloudflare/rosa.agence-novelia.fr.pem
    SSLCertificateKeyFile   /etc/ssl/cloudflare/rosa.agence-novelia.fr.key

    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder     off
    SSLSessionTickets       off

    # --- Vraie IP visiteur depuis Cloudflare ---
    RemoteIPHeader CF-Connecting-IP
    # Plages IPv4 Cloudflare officielles
    RemoteIPTrustedProxy 173.245.48.0/20
    RemoteIPTrustedProxy 103.21.244.0/22
    RemoteIPTrustedProxy 103.22.200.0/22
    RemoteIPTrustedProxy 103.31.4.0/22
    RemoteIPTrustedProxy 141.101.64.0/18
    RemoteIPTrustedProxy 108.162.192.0/18
    RemoteIPTrustedProxy 190.93.240.0/20
    RemoteIPTrustedProxy 188.114.96.0/20
    RemoteIPTrustedProxy 197.234.240.0/22
    RemoteIPTrustedProxy 198.41.128.0/17
    RemoteIPTrustedProxy 162.158.0.0/15
    RemoteIPTrustedProxy 104.16.0.0/13
    RemoteIPTrustedProxy 104.24.0.0/14
    RemoteIPTrustedProxy 172.64.0.0/13
    RemoteIPTrustedProxy 131.0.72.0/22
    # Plages IPv6 Cloudflare
    RemoteIPTrustedProxy 2400:cb00::/32
    RemoteIPTrustedProxy 2606:4700::/32
    RemoteIPTrustedProxy 2803:f800::/32
    RemoteIPTrustedProxy 2405:b500::/32
    RemoteIPTrustedProxy 2405:8100::/32
    RemoteIPTrustedProxy 2a06:98c0::/29
    RemoteIPTrustedProxy 2c0f:f248::/32

    # --- Reverse proxy vers le container Docker (nginx interne) ---
    ProxyPreserveHost On
    ProxyRequests Off

    RequestHeader set X-Forwarded-Proto "https"

    ProxyPass        / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/

    ProxyTimeout 30

    # --- Securite : bloque l'acces aux fichiers caches ---
    <LocationMatch "/\.(?!well-known)">
        Require all denied
    </LocationMatch>
</VirtualHost>
</IfModule>