# Configuration Apache HTTPD — HTTPS + HTTP/2 pour les tests ja4ebpf
# Remplace /etc/httpd/conf.d/ssl.conf

Listen 443 https

SSLPassPhraseDialog  exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin

# Désactiver SSLv2/v3 et TLSv1.0/1.1 pour forcer JA4 modernes
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

# Suites de chiffrement compatibles HTTP/2 + TLS 1.2/1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
SSLHonorCipherOrder off

<VirtualHost _default_:443>
    ServerName platform.test
    DocumentRoot /var/www/html

    # Activation HTTP/2 (ALPN h2)
    Protocols h2 http/1.1

    SSLEngine on
    SSLCertificateFile    /etc/pki/tls/certs/apache.crt
    SSLCertificateKeyFile /etc/pki/tls/private/apache.key

    <Directory /var/www/html>
        AllowOverride None
        Require all granted
    </Directory>

    # Route healthcheck
    Alias /health /var/www/html/health
    <Location /health>
        Header always set Content-Type "application/json"
    </Location>

    # Logs
    ErrorLog  /var/log/httpd/ssl_error.log
    CustomLog /var/log/httpd/ssl_access.log combined
</VirtualHost>

# VirtualHost HTTP (port 80) pour capturer le trafic en clair
<VirtualHost *:80>
    ServerName platform.test
    DocumentRoot /var/www/html

    <Directory /var/www/html>
        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog  /var/log/httpd/access_error.log
    CustomLog /var/log/httpd/access_log combined
</VirtualHost>