<VirtualHost *:80>
  ServerName {{ etherpad_vhost_name }}
  ServerAdmin webmaster@openstack.org

  ErrorLog ${APACHE_LOG_DIR}/etherpad-error.log

  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/etherpad-access.log combined

  Redirect / https://{{ etherpad_vhost_name }}/

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName {{ etherpad_vhost_name }}
  ServerAdmin webmaster@openstack.org

  AllowEncodedSlashes On

  ErrorLog ${APACHE_LOG_DIR}/etherpad-ssl-error.log

  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/etherpad-ssl-access.log combined

  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Note: this list should ensure ciphers that provide forward secrecy
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on

  SSLCertificateFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/{{ etherpad_vhost_name }}.cer
  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/{{ etherpad_vhost_name }}.key
  SSLCertificateChainFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/ca.cer

  BrowserMatch "MSIE [2-6]" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  <IfModule mod_proxy.c>
      # The following redirects "nice" urls such as https://etherpad.example.org/padname
      # to https://etherpad.example.org/p/padname. It was problematic directly
      # supporting "nice" urls as etherpad hardcodes /p/ in many places.
      # Adapted from https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
      RewriteEngine on

      # Do not rewrite the /server-status URL (though by default, this
      # is only accessible from localhost).  Connect to it with:
      # ssh -L 8443:localhost:443 $HOSTNAME
      # https://localhost:8443/server-status
      RewriteRule ^/server-status$ /server-status [L]

      RewriteCond %{HTTP_HOST} !{{ etherpad_vhost_name }}
      RewriteRule ^.*$ https://{{ etherpad_vhost_name }} [L,R=301]

      # Server robots.txt directly so that it does not affect
      # etherpad-lite installation.
      RewriteRule ^/robots.txt$ /var/etherpad/robots.txt [L]

      # Refuse external connections to the API through the proxy
      RewriteRule ^/api/ - [F,L]

      RewriteCond %{REQUEST_URI} !^/p/
      RewriteCond %{REQUEST_URI} !^/locales/
      RewriteCond %{REQUEST_URI} !^/locales.json
      RewriteCond %{REQUEST_URI} !^/admin
      RewriteCond %{REQUEST_URI} !^/p/
      RewriteCond %{REQUEST_URI} !^/static/
      RewriteCond %{REQUEST_URI} !^/pluginfw/
      RewriteCond %{REQUEST_URI} !^/javascripts/
      RewriteCond %{REQUEST_URI} !^/socket.io/
      RewriteCond %{REQUEST_URI} !^/ep/
      RewriteCond %{REQUEST_URI} !^/minified/
      RewriteCond %{REQUEST_URI} !^/api/
      RewriteCond %{REQUEST_URI} !^/ro/
      RewriteCond %{REQUEST_URI} !^/error/
      RewriteCond %{REQUEST_URI} !^/jserror
      RewriteCond %{REQUEST_URI} !/favicon.ico
      RewriteCond %{REQUEST_URI} !/robots.txt
      RewriteRule ^/+(.+)$ https://{{ etherpad_vhost_name }}/p/$1 [NC,L,R=301]

      <IfModule mod_proxy_wstunnel.c>
          RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
          RewriteCond %{QUERY_STRING} transport=websocket    [NC]
          RewriteRule /(.*)           ws://localhost:9001/$1 [P,L]
          ProxyPass        /socket.io http://localhost:9001/socket.io retry=0
          ProxyPassReverse /socket.io http://localhost:9001/socket.io
      </IfModule>

      ProxyPass  / http://localhost:9001/ retry=0
      ProxyPassReverse / http://localhost:9001/
  </IfModule>

  <Directory /var/etherpad/www/>
    Require all granted
  </Directory>

</VirtualHost>
</IfModule>