# You might want to set up a virtual host for the server, but it is
# not a requirement. You can as well reach the server under its
# common name under https://yourroundcubeserver.example.com/
#
# NameVirtualHost *
# <VirtualHost *>
#     ServerName yourroundcubeserver.example.com
#     DocumentRoot __ROUNDCUBEPATH__


<IfModule mod_alias.c>
    Alias /roundcube "__ROUNDCUBEPATH__/public_html"
    Alias /roundcubemail "__ROUNDCUBEPATH__/public_html"
</IfModule>

# AddDefaultCharset     UTF-8
AddType text/x-component .htc

<Directory "__ROUNDCUBEPATH__/public_html">
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all granted
            </IfModule>
            <IfModule mod_access_compat.c>
                Order allow,deny
                Allow from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_php5.c>
        Include @apache_sysconfdir@/conf.d/@name@.inc
    </IfModule>

    <IfModule mod_php7.c>
        Include @apache_sysconfdir@/conf.d/@name@.inc
    </IfModule>

    <IfModule mod_rewrite.c>
        Options +SymLinksIfOwnerMatch
        RewriteEngine On
        RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico

        # security rules:
        # - deny access to files not containing a dot or starting with a dot
        #   in all locations except installer directory
        RewriteRule ^(?!installer|\.well-known\/|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
        # - deny access to some locations
        RewriteRule ^/?(\.git|\.tx|\.md|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
        # - deny access to composer binaries
        RewriteRule ^/vendor\/bin\/.* - [F]
        # - deny access to some documentation files
        RewriteRule /?(README|INSTALL|LICENSE|CHANGELOG|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$ - [F]
        # security rules
    </IfModule>

    <IfModule mod_deflate.c>
        SetOutputFilter DEFLATE
    </IfModule>

    # prefer to brotli over gzip if brotli is available
    <IfModule mod_brotli.c>
        SetOutputFilter BROTLI_COMPRESS
        # some assets have been compressed, so no need to do it again
        SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|web[pm]|woff2?)$ no-brotli
    </IfModule>

    <IfModule mod_filter.c>
		AddOutputFilterByType DEFLATE application/javascript
		AddOutputFilterByType DEFLATE application/x-javascript 
		AddOutputFilterByType DEFLATE application/xhtml+xml
		AddOutputFilterByType DEFLATE application/xml
		AddOutputFilterByType DEFLATE application/json
		AddOutputFilterByType DEFLATE text/css
		AddOutputFilterByType DEFLATE text/html 
		AddOutputFilterByType DEFLATE text/plain 
		AddOutputFilterByType DEFLATE text/x-component 
		AddOutputFilterByType DEFLATE text/xml
        <IfModule mod_setenvif.c>
                SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
                BrowserMatch ^Mozilla/4 gzip-only-text/html
                BrowserMatch ^Mozilla/4.0[678] no-gzip
                BrowserMatch bMSIE !no-gzip !gzip-only-text/html
        </IfModule>
    </IfModule>

    <IfModule mod_headers.c>
        # for better privacy/security ask browsers to not set the Referer
        Header set Content-Security-Policy "referrer no-referrer"
        # don't cache, please
        Header merge Cache-Control public env=!NO_CACHE
        <IfModule mod_ssl.c>
            # HSTS - HTTP Strict Transport Security
            Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
        </IfModule>
        # X-Xss-Protection
        # This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). 
        Header set X-XSS-Protection "1; mode=block"
    </IfModule>

    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault "access plus 1 month"
    </IfModule>

    FileETag MTime Size

    <IfModule mod_autoindex.c>
        Options -Indexes
    </ifModule>
</Directory>

#
# Special directories
#

<Directory "__ROUNDCUBEPATH__">
    Options -FollowSymLinks
    AllowOverride None
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order deny,allow
            Deny from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all denied
            </IfModule>
            <IfModule mod_access_compat.c>
                Order deny,allow
                Deny from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

<Directory "__ROUNDCUBEPATH__/bin">
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order deny,allow
            Deny from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all denied
            </IfModule>
            <IfModule mod_access_compat.c>
                Order deny,allow
                Deny from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

<Directory "__ROUNDCUBEPATH__/config">
    Options -FollowSymLinks
    AllowOverride None
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order deny,allow
            Deny from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all denied
            </IfModule>
            <IfModule mod_access_compat.c>
                Order deny,allow
                Deny from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

<Directory "__ROUNDCUBEPATH__/logs">
    Options -FollowSymLinks
    AllowOverride None
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order deny,allow
            Deny from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all denied
            </IfModule>
            <IfModule mod_access_compat.c>
                Order deny,allow
                Deny from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

<Directory "__ROUNDCUBEPATH__/migration">
    Options -FollowSymLinks
    AllowOverride None
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order deny,allow
            Deny from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all denied
            </IfModule>
            <IfModule mod_access_compat.c>
                Order deny,allow
                Deny from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

<Directory "__ROUNDCUBEPATH__/migrated">
    Options -FollowSymLinks
    AllowOverride None
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order deny,allow
            Deny from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all denied
            </IfModule>
            <IfModule mod_access_compat.c>
                Order deny,allow
                Deny from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

<Directory "__ROUNDCUBEPATH__/plugins/enigma/home">
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order deny,allow
            Deny from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all denied
            </IfModule>
            <IfModule mod_access_compat.c>
                Order deny,allow
                Deny from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

<Directory "__ROUNDCUBEPATH__/program">
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule !^js|.*\.gif$ - [F]
    </IfModule>
</Directory>

<Directory "__ROUNDCUBEPATH__/temp">
    Options -FollowSymLinks
    AllowOverride None
    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order deny,allow
            Deny from all
        </IfVersion>
        <IfVersion >= 2.4>
            <IfModule mod_authz_core.c>
                Require all denied
            </IfModule>
            <IfModule mod_access_compat.c>
                Order deny,allow
                Deny from all
            </IfModule>
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

#
# </VirtualHost>