# =====================================================
# ZLO Platform - Apache Configuration
# Production-ready rewrite rules and security headers
# =====================================================

# Enable rewrite engine
RewriteEngine On

# Set base directory (adjust if installed in subdirectory)
# RewriteBase /

# -----------------------------------------------------
# SECURITY - Block access to sensitive files
# -----------------------------------------------------

# Block access to .env files
<FilesMatch "^\.env">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block access to hidden files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block access to sensitive directories
RewriteRule ^(api/config|api/core|api/models|database|logs)/ - [F,L]

# Block access to SQL and log files
<FilesMatch "\.(sql|log|ini|sh|bak|swp)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# -----------------------------------------------------
# API ROUTES - Redirect API calls to api/index.php
# -----------------------------------------------------

# API requests
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api/index.php [QSA,L]

# -----------------------------------------------------
# FRONTEND ROUTES - Single Page Application routing
# -----------------------------------------------------

# If the request is for a real file or directory, serve it
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Otherwise, route to index.html (SPA routing)
RewriteRule ^(.*)$ public/index.html [QSA,L]

# -----------------------------------------------------
# SECURITY HEADERS
# -----------------------------------------------------

<IfModule mod_headers.c>
    # X-Frame-Options - Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # X-Content-Type-Options - Prevent MIME sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # X-XSS-Protection - Enable XSS filter
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer-Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Permissions-Policy
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    
    # Remove server signature
    Header always unset X-Powered-By
    Header always unset Server
</IfModule>

# -----------------------------------------------------
# PERFORMANCE - Compression and caching
# -----------------------------------------------------

# Enable gzip compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
    AddOutputFilterByType DEFLATE application/javascript application/json
    AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

# Browser caching
<IfModule mod_expires.c>
    ExpiresActive On
    
    # Images
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    
    # CSS and JavaScript
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    
    # Fonts
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"
</IfModule>

# -----------------------------------------------------
# PHP SETTINGS
# -----------------------------------------------------

<IfModule mod_php.c>
    php_value upload_max_filesize 10M
    php_value post_max_size 10M
    php_value max_execution_time 300
    php_value max_input_time 300
    php_value memory_limit 256M
</IfModule>

# -----------------------------------------------------
# DEFAULT CHARSET
# -----------------------------------------------------

AddDefaultCharset UTF-8

# -----------------------------------------------------
# DISABLE DIRECTORY BROWSING
# -----------------------------------------------------

Options -Indexes
