# ============================================
# CONFIGURAÇÃO APACHE - CONTROLE DE FROTAS
# ============================================

# Habilitar reescrita de URLs
RewriteEngine On

# Redirecionar para HTTPS (remova se não usar SSL)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ============================================
# ROTEAMENTO DA API
# ============================================

# Redirecionar requisições da API para os endpoints corretos
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} ^/api/(.*)$
RewriteRule ^api/(.*)$ api/$1 [L,QSA]

# Redirecionar para public/ se o arquivo não existir
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/public/
RewriteCond %{REQUEST_URI} !^/api/
RewriteCond %{REQUEST_URI} !^/admin/
RewriteRule ^(.*)$ public/$1 [L,QSA]

# ============================================
# SEGURANÇA
# ============================================

# Proteger arquivos sensíveis
<FilesMatch "\.(env|log|sql|md|json|lock)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Proteger diretórios importantes
RedirectMatch 404 /vendor/.*
RedirectMatch 404 /config/.*
RedirectMatch 404 /src/.*
RedirectMatch 404 /logs/.*
RedirectMatch 404 /database/.*

# Prevenir acesso a arquivos de backup
<FilesMatch "\.(bak|backup|old|orig|save|swp|tmp)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# ============================================
# HEADERS DE SEGURANÇA
# ============================================

# Prevenir ataques XSS
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"

# CSP básico (ajuste conforme necessário)
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' cdn.jsdelivr.net cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' cdn.jsdelivr.net cdnjs.cloudflare.com; img-src 'self' data: *; font-src 'self' cdnjs.cloudflare.com"

# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# ============================================
# CORS PARA API
# ============================================

# Permitir CORS para requisições de API
<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(www\.)?(localhost|127\.0\.0\.1|.*\.local)(:[0-9]+)?$" AccessControlAllowOrigin=$0
    Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
    Header always set Access-Control-Allow-Credentials true
</IfModule>

# ============================================
# PERFORMANCE E CACHE
# ============================================

# Habilitar compressão
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# Cache para recursos estáticos
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/ico "access plus 1 month"
    ExpiresByType image/icon "access plus 1 month"
    ExpiresByType text/x-icon "access plus 1 month"
    ExpiresByType application/pdf "access plus 1 month"
    ExpiresByType application/json "access plus 0 seconds"
</IfModule>

# ============================================
# CONFIGURAÇÕES PHP
# ============================================

# Limites de upload para fotos/documentos
php_value upload_max_filesize 10M
php_value post_max_size 10M
php_value memory_limit 128M
php_value max_execution_time 30

# Configurações de sessão
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
php_value session.use_strict_mode 1

# Esconder versão do PHP
php_flag expose_php off

# ============================================
# TRATAMENTO DE ERROS
# ============================================

# Página de erro personalizada
ErrorDocument 404 /public/404.html
ErrorDocument 500 /public/500.html

# Não mostrar listagem de diretórios
Options -Indexes

# ============================================
# REDIRECIONAMENTOS ESPECÍFICOS
# ============================================

# Redirecionar raiz para public/
DirectoryIndex public/index.php index.php

# Redirecionar /admin para /admin/
RewriteRule ^admin$ admin/ [R=301,L]

# ============================================
# LIMITE DE TAXA (se mod_evasive estiver disponível)
# ============================================

<IfModule mod_evasive24.c>
    DOSHashTableSize    2048
    DOSPageCount        5
    DOSPageInterval     1
    DOSSiteCount        50
    DOSSiteInterval     1
    DOSBlockingPeriod   600
</IfModule>

# ============================================
# LOGS CUSTOMIZADOS
# ============================================

# Log personalizado para API (DESABILITADO: não permitido em .htaccess)
# <IfModule mod_log_config.c>
#     LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" combined_with_time
#     CustomLog logs/access.log combined_with_time
# </IfModule>

Options +FollowSymLinks

# Permitir acesso direto a arquivos existentes
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Headers para CORS
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"

# PHP Handler
AddHandler application/x-httpd-php .php

# Charset
AddDefaultCharset UTF-8

# Diretivas de segurança
Options -Indexes +FollowSymLinks
ServerSignature Off

# Forçar HTTPS (comentado por enquanto)
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 