# HTTPS — apiwork.rycroftapparel.com → Gin di 127.0.0.1:3040
#
# Syarat modul Apache (sekali):
#   sudo a2enmod ssl headers rewrite proxy proxy_http proxy_wstunnel
#   sudo systemctl reload apache2
#
# Sertifikat harus SAN/CN untuk apiwork.rycroftapparel.com (bukan default vhost lain).
# Jika browser: ERR_CERT_COMMON_NAME_INVALID → cert/vhost salah host, bukan bug Gin.

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin info@rycroftapparel.com
    ServerName apiwork.rycroftapparel.com

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/apiwork.rycroftapparel.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/apiwork.rycroftapparel.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN
    Header always set Referrer-Policy strict-origin-when-cross-origin

    ProxyPreserveHost On
    ProxyTimeout 3600
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    # WebSocket — path harus sama dengan Gin: GET /api/v1/ws (setelah ticket)
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule ^/api/v1/ws(.*)$ ws://127.0.0.1:3040/api/v1/ws$1 [P,L]

    ProxyPass / http://127.0.0.1:3040/
    ProxyPassReverse / http://127.0.0.1:3040/

    ErrorLog ${APACHE_LOG_DIR}/apiwork.rycroftapparel.com_ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/apiwork.rycroftapparel.com_ssl_access.log combined
</VirtualHost>
</IfModule>