#
# horde.sec-mail.guru (Horde Groupware Version 5)
#
<VirtualHost *:80>
        ServerAdmin webmaster@nausch.org
        ServerName horde.sec-mail.guru
        ServerAlias xn--bro-hoa.sec-mail.guru
        ServerPath /

        <Location />
                Options -Indexes +FollowSymLinks
                Require all granted
        </Location>

        RewriteEngine on
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

        DirectoryIndex index.php

        ErrorLog logs/horde_error.log
        CustomLog logs/horde_access.log combined
</VirtualHost>
<VirtualHost *:443>
        ServerAdmin webmaster@nausch.org
        ServerName horde.sec-mail.guru
        ServerAlias xn--bro-hoa.sec-mail.guru
        ServerPath /
        DocumentRoot "/usr/share/horde"

        <IfModule mod_ssl.c>
                SSLEngine on
                SSLProtocol -ALL +SSLv3 +TLSv1
                SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
                SSLHonorCipherOrder on
                SSLCertificateFile /etc/pki/tls/certs/wildcard.sec-mail.guru.certificate_140920.pem
                SSLCertificateKeyFile /etc/pki/tls/private/wildcard.sec-mail.guru.serverkey.pem
                SSLCertificateChainFile /etc/pki/tls/certs/CAcert_certificate-chain.pem

        </IfModule>

        <IfModule mod_gnutls.c>
                GnuTLSEnable on
                GnuTLSPriorities SECURE:!MD5
#               #GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:!MD5:+COMP-NULL
                GnuTLSCertificateFile /etc/pki/tls/certs/horde.sec-mail.guru.certificate_140912.pem
                GnuTLSKeyFile /etc/pki/tls/private/horde.sec-mail.guru.serverkey.pem
        </IfModule>

        <IfModule mod_deflate.c>
                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
                AddOutputFilterByType DEFLATE application/javascript application/x-javascriptl
                <Location />
                        <IfModule mod_setenvif.c>
                                SetOutputFilter DEFLATE
                                BrowserMatch ^Mozilla/4 gzip-only-text/html
                                BrowserMatch ^Mozilla/4\.0[678] no-gzip
                                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
                                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
                        </IfModule>
                        <IfModule mod_headers.c>
                                Header append Vary User-Agent env=!dont-vary
                        </IfModule>
                </Location>
        </IfModule>


        AddType application/x-httpd-php .php

        # Link to system Javascript Libraries
        Alias /horde/js/scriptaculous     /usr/share/scriptaculous
        Alias /horde/js/prototype.js      /usr/share/prototype/prototype.js
        Alias /horde/js/syntaxhighlighter /usr/share/syntaxhighlighter

        # Link to Micro$oft stuff
        Alias /Microsoft-Server-ActiveSync /usr/share/horde/rpc.php
        Alias /autodiscover/autodiscover.xml /usr/share/horde/rpc.php

        <Directory /usr/share/horde/>
                # **IMPORTANT** By default, everyone accessing Horde is automatically logged
                # in as 'Administrator'. This is a security risk! It is very important that 
                # you change the authentication backend under the 'Authentication' tab. 
                # For this reason, Horde is currently only accessible from localhost. 
                <IfModule mod_authz_core.c>
                #       Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben
                #       Require host vml000010.dmz.nausch.org
                #       Zugriff generell erlauben
                        Require all granted
                </IfModule>

                # Django : 2014-09-19
                # aus der Konfigurationsdatei php-horde-kronolith.conf übernommen
                <IfModule mod_rewrite.c>
                        RewriteEngine On
                        RewriteBase   /horde/
                        RewriteCond   %{REQUEST_FILENAME}  !-d
                        RewriteCond   %{REQUEST_FILENAME}  !-f
                        RewriteRule ^(.*)$ rampage.php [QSA,L]
                </IfModule>

                Options +FollowSymLinks
                #Options All
                #AllowOverride All

                # Rewrite the requestet URI, when it is with german "Umlaute".
                RewriteEngine On
                RewriteCond %{REQUEST_URI} ^/$
                RewriteCond %{HTTP_HOST} ^xn--bro-hoa.sec-mail.guru$ [NC]
                RewriteRule ^$ https://horde.sec-mail.guru [L,R=301]

                # Exclude file from password protection
                SetEnvIf Request_URI "(rpc.php)$"  allow
                SetEnvIf Request_URI "(rpc.php/turba/mailsystem/)$"  allow
                SetEnvIf Request_URI "(rpc.php/nag/mailsystem/)$" allow
                SetEnvIf Request_URI "(sapi/profile/client)$"  allow
                SetEnvIf Request_URI "(devinfo)$"  allow
                SetEnvIf Request_URI "(Microsoft-Server-ActiveSync)$"  allow

                # ActiveSync
                RewriteEngine On
                RewriteRule ^/Microsoft-Server-ActiveSync /rpc.php [PT,L,QSA]
                RewriteRule .* - [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
                RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
                RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
        </Directory>

        # Deny access to the test.php files except from localhost
        <Files "test.php">
                # Django : 2014-09-19
                #          Zugriff generell verbieten
                #          Require all denied
                #          Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben
                Require host vml000010.dmz.nausch.org
        </Files>

        # Those directories should not be viewed by Web clients.
        <DirectoryMatch /usr/share/horde/(ansel|imp|ingo|kronolith|mnemo|nag|sesha|trean|turba|passwd|wicked)/(config|lib|locale|scripts|templates)>
                Require all denied
        </DirectoryMatch>
        <DirectoryMatch /usr/share/horde/(config|lib|locale|templates|scripts)>
                Require all denied
        </DirectoryMatch>


        <Directory /usr/share/horde/rpc>
                <IfModule mod_rewrite.c>
                        RewriteEngine On
                        RewriteCond   %{REQUEST_FILENAME}  !-d
                        RewriteCond   %{REQUEST_FILENAME}  !-f
                        RewriteRule   ^(.*)$ index.php/$1 [QSA,L]
                </IfModule>
        </Directory>

        # Django : 2014-09-19
        # aus der Konfigurationsdatei php-horde-content.conf übernommen 
        <Directory /usr/share/horde/content>
                <IfModule mod_rewrite.c>
                        RewriteEngine On
                        RewriteCond   %{REQUEST_FILENAME}  !-d
                        RewriteCond   %{REQUEST_FILENAME}  !-f
                        RewriteRule ^(.*)$ index.php [QSA,L]
                </IfModule>
        </Directory>

        # Django : 2014-09-19
        # aus der Konfigurationsdatei php-horde-kronolith.conf übernommen
        <Directory /usr/share/horde/kronolith/feed/>
                <IfModule mod_rewrite.c>
                        RewriteEngine On
                        RewriteCond   %{REQUEST_FILENAME}  !-d
                        RewriteCond   %{REQUEST_FILENAME}  !-f
                        RewriteRule   ^(.*)$ index.php?c=$1 [QSA,L]
                </IfModule>
        </Directory>

        DirectoryIndex index.php
        ErrorLog logs/horde_error.log
        CustomLog logs/horde_access.log combined
</VirtualHost>