# ============================================================================
# ParalinkPOS — Activation Server Apache Configuration
# ============================================================================
# HTTPS zorunluluğu, URL rewriting, güvenlik ayarları ve PHP yapılandırması.
# Requirements: 8.1
# ============================================================================

# ----------------------------------------------------------------------------
# Rewrite Engine
# ----------------------------------------------------------------------------
RewriteEngine On

# ----------------------------------------------------------------------------
# HTTPS Zorunluluğu (Requirement 8.1)
# ----------------------------------------------------------------------------
# XAMPP / development ortamında HTTPS redirect devre dışı
# Üretim ortamında bu satırları aktif edin:
# RewriteCond %{HTTPS} !=on
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ----------------------------------------------------------------------------
# URL Rewriting — Temiz API Yolları
# ----------------------------------------------------------------------------
# /api/license/activate        → activate.php
# /api/license/heartbeat       → heartbeat.php
# /api/license/deactivate      → deactivate.php
# /api/license/report-offline-usage → report-offline-usage.php
# /api/license/admin/create    → admin/create.php
# /api/license/admin/list      → admin/list.php
# /api/license/admin/revoke    → admin/revoke.php
# /api/license/admin/logs      → admin/logs.php
# /api/license/admin/generate-offline-code → admin/generate-offline-code.php

# API endpoint'lerini PHP dosyalarına yönlendir
# NOT: RewriteCond yalnızca hemen sonraki RewriteRule'a uygulanır.
# Her kural için koşulları tekrarlamak gerekir.

# Genel endpoint'ler
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^activate$ activate.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^heartbeat$ heartbeat.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^deactivate$ deactivate.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^report-offline-usage$ report-offline-usage.php [L,QSA]

# Admin endpoint'leri
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^admin/create$ admin/create.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^admin/list$ admin/list.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^admin/revoke$ admin/revoke.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^admin/logs$ admin/logs.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^admin/generate-offline-code$ admin/generate-offline-code.php [L,QSA]

# ----------------------------------------------------------------------------
# Hassas Dosyalara Erişim Engelleme
# ----------------------------------------------------------------------------
# config.php, db.php, middleware.php dosyalarına doğrudan erişimi engelle
<FilesMatch "^(config|db|middleware)\.php$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</FilesMatch>

# .htaccess dosyasına erişimi engelle
<Files ".htaccess">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</Files>

# SQL dosyalarına erişimi engelle
<FilesMatch "\.sql$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</FilesMatch>

# PEM key dosyalarına erişimi engelle
<FilesMatch "\.pem$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</FilesMatch>

# ----------------------------------------------------------------------------
# PHP Üretim Ayarları
# ----------------------------------------------------------------------------
php_flag display_errors Off
php_flag log_errors On
php_value error_reporting 32767

# ----------------------------------------------------------------------------
# Güvenlik Header'ları
# ----------------------------------------------------------------------------
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "no-referrer"
</IfModule>

# ----------------------------------------------------------------------------
# Dizin Listelemeyi Kapat
# ----------------------------------------------------------------------------
Options -Indexes
