<VirtualHost _default_:443>
    ServerAdmin webmaster@localhost

    Include /etc/linotp2/apache-servername.conf

    Header always edit Set-Cookie ^(.*)$ $1;secure
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Strict-Transport-Security "max-age=315360000; includeSubDomains"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Permitted-Cross-Domain-Policies "none"

    <Directory />
        AllowOverride None
        Order deny,allow
        Deny from all
    </Directory>

    <Directory /etc/linotp2>
        <Files linotpapp.wsgi>
            Order allow,deny
            Allow from all
        </Files>
    </Directory>

    <Directory /usr/share/doc/linotpdoc/html>
        Order allow,deny
        Allow from all
    </Directory>

    Alias /doc/html         /usr/share/doc/linotpdoc/html

    WSGIScriptAlias /       /etc/linotp2/linotpapp.wsgi
    #
    # The daemon is running as user 'linotp'
    # This user should have access to the encKey database encryption file
    WSGIDaemonProcess linotp processes=1 threads=15 display-name=%{GROUP} user=linotp
    WSGIProcessGroup linotp
    WSGIPassAuthorization On


    <LocationMatch /ocra/(request|checkstatus|getActivationCode|calculateOtp)>
        AuthType Digest
        AuthName "LinOTP2 admin area"
        AuthDigestProvider file
        AuthUserFile /etc/linotp2/admins
        Require valid-user
    </LocationMatch>


    <LocationMatch /(audit|manage|system|license|admin)>
        AuthType Digest
        AuthName "LinOTP2 admin area"
        AuthDigestProvider file
        AuthUserFile /etc/linotp2/admins
        Require valid-user
        #----------------------------------------
        # Here we do client certificate auth
        #----------------------------------------
        # SSLVerifyClient require
        # SSLVerifyDepth  2
        # # Who signed the client certificates
        # SSLCACertificateFile /etc/ssl/certs/ca.crt
        # # what client certs are allowed to log in?
        # SSLRequire ( %{SSL_CLIENT_S_DN_OU} eq "az" and %{SSL_CLIENT_S_DN_CN} in {"linotpadm", "Manfred Mann"} )
    </LocationMatch>

    <Location /gettoken>
        AuthType Digest
        AuthName "LinOTP2 gettoken"
        AuthDigestProvider file
        AuthUserFile /etc/linotp2/gettoken-api
        Require valid-user
    </Location>

    <Location /selfservice>
        # The authentication for selfservice is done from within the application
    </Location>

    <Location /validate>
        # No Authentication
    </Location>


    ErrorLog /var/log/apache2/error.log

    LogLevel warn

    # Do not use %q! This will reveal all parameters, including setting PINs and Keys!
    # Using SSL_CLINET_S_DN_CN will show you, which administrator did what task
    LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_S_DN_CN}x\"" LinOTP2
    CustomLog /var/log/apache2/ssl_access.log LinOTP2

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   If both key and certificate are stored in the same file, only the
    #   SSLCertificateFile directive is needed.
    SSLCertificateFile    /etc/ssl/certs/linotpserver.pem
    SSLCertificateKeyFile /etc/ssl/private/linotpserver.key

    ErrorDocument 500 "<h1>Internal Server Error</h1> Possible reasons can be missing modules or bad access rights on LinOTP configuration files or log files. Please check the apache logfile <pre>/var/log/apache2/error.log</pre> for more details."

</VirtualHost>
