# Telegram Mini App Referral System - Apache Configuration

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    
    # ==================== HTTPS Enforcement ====================
    # Force HTTPS in production
    <IfModule mod_env.c>
        SetEnv HTTPS_REDIRECT true
    </IfModule>
    
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # ==================== Security Headers ====================
    <IfModule mod_headers.c>
        # Prevent MIME type sniffing
        Header always set X-Content-Type-Options "nosniff"
        
        # Prevent clickjacking
        Header always set X-Frame-Options "SAMEORIGIN"
        
        # Enable XSS protection
        Header always set X-XSS-Protection "1; mode=block"
        
        # Referrer Policy
        Header always set Referrer-Policy "strict-origin-when-cross-origin"
        
        # CSP Policy (adjust as needed)
        Header always set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline'; script-src 'self' https://telegram.org/js 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https: data:;"
        
        # Permissions Policy
        Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    </IfModule>
    
    # ==================== Caching ====================
    <IfModule mod_expires.c>
        ExpiresActive On
        
        # Images
        ExpiresByType image/jpeg "access plus 1 year"
        ExpiresByType image/gif "access plus 1 year"
        ExpiresByType image/png "access plus 1 year"
        ExpiresByType image/webp "access plus 1 year"
        ExpiresByType image/svg+xml "access plus 1 year"
        ExpiresByType image/x-icon "access plus 1 year"
        
        # CSS
        ExpiresByType text/css "access plus 1 month"
        
        # JavaScript
        ExpiresByType application/javascript "access plus 1 month"
        ExpiresByType text/javascript "access plus 1 month"
        
        # Fonts
        ExpiresByType application/font-woff "access plus 1 year"
        ExpiresByType application/font-woff2 "access plus 1 year"
        ExpiresByType font/woff "access plus 1 year"
        ExpiresByType font/woff2 "access plus 1 year"
        
        # Default
        ExpiresDefault "access plus 2 days"
    </IfModule>
    
    # ==================== Compression ====================
    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html
        AddOutputFilterByType DEFLATE text/plain
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE text/javascript
        AddOutputFilterByType DEFLATE application/javascript
        AddOutputFilterByType DEFLATE application/json
        AddOutputFilterByType DEFLATE image/svg+xml
    </IfModule>
    
    # ==================== File Access ====================
    # Deny access to sensitive files
    <FilesMatch "^\.env">
        Deny from all
    </FilesMatch>
    
    <FilesMatch "^\.git">
        Deny from all
    </FilesMatch>
    
    <FilesMatch "\.sql$">
        Deny from all
    </FilesMatch>
    
    <FilesMatch "\.md$">
        Deny from all
    </FilesMatch>
    
    # ==================== API Routing ====================
    # Route API requests to api/index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^api/(.*)$ api/index.php?path=$1 [QSA,L]
    
    # ==================== App Routing ====================
    # Route app requests to app/index.html
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^app/(.*)$ app/index.html [QSA,L]
    
    # ==================== Admin Routing ====================
    # Route admin requests to admin/index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^admin/(.*)$ admin/index.php [QSA,L]
    
    # ==================== Root Redirect ====================
    # Redirect root to app
    RewriteRule ^$ app/index.html [QSA,L]
</IfModule>

# ==================== PHP Configuration ====================
<IfModule mod_php.c>
    # PHP execution timeout
    php_value max_execution_time 30
    
    # Upload limits
    php_value upload_max_filesize 5M
    php_value post_max_size 5M
    
    # Memory limit
    php_value memory_limit 256M
    
    # Display errors (disable in production)
    php_value display_errors Off
    php_value log_errors On
    php_value error_log /var/log/php_errors.log
</IfModule>

# ==================== Directory Configuration ====================
<Directory /var/www/telegram-referral>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

# Protect sensitive directories
<Directory ~ "^\.|^/\.">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Deny from all
    </IfModule>
</Directory>
