# UK Data Services - Production Apache Configuration

<VirtualHost *:80>
    ServerName ukdataservices.co.uk
    ServerAlias www.ukdataservices.co.uk
    DocumentRoot /var/www/html
    
    # Security Headers
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always unset Server
    Header always unset X-Powered-By
    
    # HSTS Redirect to HTTPS (uncomment for production)
    # RewriteEngine On
    # RewriteCond %{HTTPS} off
    # RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Performance: Enable compression
    LoadModule deflate_module modules/mod_deflate.so
    <Location />
        SetOutputFilter DEFLATE
        SetEnvIfNoCase Request_URI \
            \.(?:gif|jpe?g|png)$ no-gzip dont-vary
        SetEnvIfNoCase Request_URI \
            \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
    </Location>
    
    # Performance: Enable expires headers
    LoadModule expires_module modules/mod_expires.so
    ExpiresActive On
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    
    # Directory Configuration
    <Directory /var/www/html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
        
        # Security: Hide sensitive files
        <FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
            Require all denied
        </FilesMatch>
        
        # Security: Prevent access to Git files
        <DirectoryMatch "\.git">
            Require all denied
        </DirectoryMatch>
    </Directory>
    
    # Logs
    ErrorLog /var/www/html/logs/apache_error.log
    CustomLog /var/www/html/logs/apache_access.log combined
    LogLevel warn
    
    # Asset optimization
    <LocationMatch "\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$">
        ExpiresActive On
        ExpiresDefault "access plus 1 year"
        Header append Cache-Control "public, immutable"
    </LocationMatch>
    
    # PHP Configuration
    <FilesMatch \.php$>
        SetHandler application/x-httpd-php
    </FilesMatch>
    
    # Security: Limit request size (50MB for file uploads)
    LimitRequestBody 52428800
    
    # Rate limiting (if mod_security is available)
    # SecRuleEngine On
    # SecRule REMOTE_ADDR "@detectXSS" "id:1001,deny,status:403,msg:'XSS Attack Detected'"
</VirtualHost>

# HTTPS Configuration (uncomment and configure for production)
# <VirtualHost *:443>
#     ServerName ukdataservices.co.uk
#     ServerAlias www.ukdataservices.co.uk
#     DocumentRoot /var/www/html
#     
#     # SSL Configuration
#     SSLEngine on
#     SSLCertificateFile /etc/ssl/certs/ukds/cert.pem
#     SSLCertificateKeyFile /etc/ssl/certs/ukds/privkey.pem
#     SSLCertificateChainFile /etc/ssl/certs/ukds/chain.pem
#     
#     # SSL Security
#     SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#     SSLCipherSuite ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!aNULL:!MD5:!DSS
#     SSLHonorCipherOrder on
#     SSLCompression off
#     SSLUseStapling on
#     SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
#     
#     # Include all other directives from port 80
#     Include /etc/apache2/sites-available/000-default.conf
# </VirtualHost>