# Apache vhost pour dynamic.alpinux.org
# L'app Flask tourne derrière Gunicorn sur 127.0.0.1:5001

<VirtualHost *:80>
    ServerName dynamic.alpinux.org
    Redirect permanent / https://dynamic.alpinux.org/
</VirtualHost>

<VirtualHost *:443>
    ServerName dynamic.alpinux.org

    # ── Proxy vers Gunicorn ──────────────────────────────────────
    ProxyPreserveHost On
    ProxyPass        / http://127.0.0.1:5001/
    ProxyPassReverse / http://127.0.0.1:5001/

    # En-têtes transmis à Flask
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-For   "%{REMOTE_ADDR}s"

    # ── Sécurité ─────────────────────────────────────────────────
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options        "SAMEORIGIN"
    Header always set Referrer-Policy        "strict-origin-when-cross-origin"

    # ── Logs ─────────────────────────────────────────────────────
    ErrorLog  /var/log/apache2/dynamic.alpinux.org-error.log
    CustomLog /var/log/apache2/dynamic.alpinux.org-access.log combined

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/dynamic.alpinux.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/dynamic.alpinux.org/privkey.pem
</VirtualHost>