## Apache vhost for app3.syntheon.in (Docker backend)
#
# Serves:
# - https://app3.syntheon.in/            -> frontend (container :3000)
# - https://app3.syntheon.in/master/     -> masterpanel (container :4174)
# - https://app3.syntheon.in/api/        -> Django (container :8000)
# - https://app3.syntheon.in/api/mcube/  -> MCube proxy (:8088) — MUST be before ProxyPass /api/ (first match wins)
# - https://app3.syntheon.in/webhooks/   -> MCube proxy (container :8088)
# - https://app3.syntheon.in/ws/         -> MCube proxy WS (container :8088 -> ws_bridge)
# - https://app3.syntheon.in/bid/websocket/ -> MCube proxy WS (container :8088 -> ws_bridge)
#
# Prereqs:
#   sudo a2enmod ssl headers rewrite proxy proxy_http proxy_wstunnel
#
# Install (Ubuntu/Debian):
#   sudo cp apache-app3-syntheon.conf /etc/apache2/sites-available/app3-syntheon.conf
#   sudo a2ensite app3-syntheon.conf
#   If certbot already created a *-le-ssl.conf, either disable the duplicate vhost
#   (`sudo a2dissite app3-syntheon-le-ssl`) or merge this file’s ProxyPass/Location into it.
#   sudo apache2ctl configtest && sudo systemctl reload apache2
#   SSL: certs at /etc/letsencrypt/live/app3.syntheon.in/ (see VirtualHost *:443 below).
#   To (re)issue: sudo certbot --apache -d app3.syntheon.in
#   Suppress AH00558: add to /etc/apache2/apache2.conf: ServerName app3.syntheon.in
#
# IMPORTANT:
# - Container must publish ports to 127.0.0.1 (not public). Example:
#     -p 127.0.0.1:3000:3000 -p 127.0.0.1:4174:4174 -p 127.0.0.1:8000:8000 -p 127.0.0.1:8088:8088
#
# If a port is already in use on the host, change these Defines (no other edits needed).
# NOTE: `Define` is supported by Apache 2.4+.
# Host ports (left side of `-p HOST:CONTAINER` in `docker run`)
# If you map frontend 3101->3000 and masterpanel 4180->4174, keep these as 3101/4180.
Define APP3_FRONTEND_PORT 3101
Define APP3_MASTERPANEL_PORT 4180
Define APP3_BACKEND_PORT 8000
Define APP3_MCUBE_PROXY_PORT 8088

<VirtualHost *:80>
  ServerName app3.syntheon.in

  RewriteEngine On
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName app3.syntheon.in

  # TLS — uses existing Let’s Encrypt cert (certbot: /etc/letsencrypt/live/app3.syntheon.in/)
  SSLEngine on
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  IncludeOptional /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/app3.syntheon.in/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/app3.syntheon.in/privkey.pem
  # fullchain.pem already includes the chain; add SSLCertificateChainFile only if your CA needs it
  # If Apache won’t start: ensure the two .pem files exist, or run: sudo certbot certonly --apache -d app3.syntheon.in

  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto "https"
  # Ensure Django always sees the public host (fixes DisallowedHost: localhost:8000)
  RequestHeader set Host "app3.syntheon.in"

  # Basic hardening
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"

  # Increase for file uploads if needed
  LimitRequestBody 26214400

  # ----------------------------
  # WebSocket routes (must be before generic ProxyPass)
  # ----------------------------
  ProxyPass        "/ws/"            "ws://127.0.0.1:${APP3_MCUBE_PROXY_PORT}/ws/"
  ProxyPassReverse "/ws/"            "ws://127.0.0.1:${APP3_MCUBE_PROXY_PORT}/ws/"

  ProxyPass        "/bid/websocket/" "ws://127.0.0.1:${APP3_MCUBE_PROXY_PORT}/bid/websocket/"
  ProxyPassReverse "/bid/websocket/" "ws://127.0.0.1:${APP3_MCUBE_PROXY_PORT}/bid/websocket/"

  # ----------------------------
  # API + MCube proxy (HTTP)
  # ----------------------------
  # Django static assets (DRF browsable API CSS/JS, etc.)
  ProxyPass        "/static/"   "http://127.0.0.1:${APP3_BACKEND_PORT}/static/"
  ProxyPassReverse "/static/"   "http://127.0.0.1:${APP3_BACKEND_PORT}/static/"

  # (Optional) Django media uploads, if used by your app
  ProxyPass        "/media/"    "http://127.0.0.1:${APP3_BACKEND_PORT}/media/"
  ProxyPassReverse "/media/"    "http://127.0.0.1:${APP3_BACKEND_PORT}/media/"

  # MCube outbound/json routes — more specific than /api/. Apache uses first matching ProxyPass.
  <Location "/api/mcube/">
    ProxyPass "http://127.0.0.1:${APP3_MCUBE_PROXY_PORT}/api/mcube/"
    ProxyPassReverse "http://127.0.0.1:${APP3_MCUBE_PROXY_PORT}/api/mcube/"
  </Location>

  ProxyPass        "/api/"      "http://127.0.0.1:${APP3_BACKEND_PORT}/api/"
  ProxyPassReverse "/api/"      "http://127.0.0.1:${APP3_BACKEND_PORT}/api/"

  ProxyPass        "/webhooks/" "http://127.0.0.1:${APP3_MCUBE_PROXY_PORT}/webhooks/"
  ProxyPassReverse "/webhooks/" "http://127.0.0.1:${APP3_MCUBE_PROXY_PORT}/webhooks/"

  # ----------------------------
  # Masterpanel UI under /master/ and /dashboard/
  # ----------------------------
  # IMPORTANT: Do not strip the `/master/` prefix when proxying to Vite preview,
  # otherwise it sees `/login` and blocks with "public base URL of /master/".
  ProxyPass        "/master/" "http://127.0.0.1:${APP3_MASTERPANEL_PORT}/master/"
  ProxyPassReverse "/master/" "http://127.0.0.1:${APP3_MASTERPANEL_PORT}/master/"
  
  ProxyPass        "/dashboard/" "http://127.0.0.1:${APP3_MASTERPANEL_PORT}/master/"
  ProxyPassReverse "/dashboard/" "http://127.0.0.1:${APP3_MASTERPANEL_PORT}/master/"

  # ----------------------------
  # Frontend UI (default)
  # ----------------------------
  ProxyPass        "/" "http://127.0.0.1:${APP3_FRONTEND_PORT}/"
  ProxyPassReverse "/" "http://127.0.0.1:${APP3_FRONTEND_PORT}/"

  ErrorLog ${APACHE_LOG_DIR}/app3-syntheon-error.log
  CustomLog ${APACHE_LOG_DIR}/app3-syntheon-access.log combined
</VirtualHost>
</IfModule>