# Boxenstop Performance Optimizations
# Apache .htaccess Configuration

# WICHTIG: Explizit Zugriff erlauben (muss am Anfang stehen!)
<IfModule mod_authz_core.c>
    Require all granted
</IfModule>

# DirectoryIndex explizit setzen
DirectoryIndex index.php index.html index.htm

# Enable GZIP Compression
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>

# Browser Caching
<IfModule mod_expires.c>
ExpiresActive on
    
# Images
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
    
# CSS and JavaScript
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
    
# Fonts
ExpiresByType font/woff "access plus 1 year"
ExpiresByType font/woff2 "access plus 1 year"
ExpiresByType application/font-woff "access plus 1 year"
ExpiresByType application/font-woff2 "access plus 1 year"
ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
ExpiresByType application/x-font-ttf "access plus 1 year"
ExpiresByType font/opentype "access plus 1 year"

# Optional: CORS-Header für App-Zugriff
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,POST,OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
</IfModule>
    
# HTML (shorter cache for dynamic content)
ExpiresByType text/html "access plus 1 hour"
    
# Default
ExpiresDefault "access plus 1 week"
</IfModule>

# Cache-Control Headers
<IfModule mod_headers.c>
# Cache static assets
<FilesMatch "\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$">
Header set Cache-Control "public, max-age=2592000"
</FilesMatch>
    
# Cache HTML files for shorter time
<FilesMatch "\.(html|php)$">
Header set Cache-Control "public, max-age=3600"
</FilesMatch>
    
# Security headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Remove ETags (use Last-Modified instead)
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
FileETag None

# Enable Keep-Alive
<IfModule mod_headers.c>
Header set Connection keep-alive
</IfModule>

# Optimize file serving
<IfModule mod_mime.c>
# Add proper MIME types
AddType application/font-woff .woff
AddType application/font-woff2 .woff2
AddType application/vnd.ms-fontobject .eot
AddType font/truetype .ttf
AddType font/opentype .otf
AddType image/svg+xml .svg
AddType image/webp .webp
AddType application/manifest+json .json
AddType application/manifest+json manifest.json
</IfModule>

# Security: Block access to sensitive files
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak|sql)$">
Require all denied
</FilesMatch>

# Allow manifest.json for PWA (must be before blocking rules)
<Files "manifest.json">
Require all granted
Header set Content-Type "application/manifest+json"
Header set Access-Control-Allow-Origin "*"
</Files>

# Block access to logs directory (REMOVED: <Directory> not allowed in .htaccess)
# Block access to backup directory (REMOVED: <Directory> not allowed in .htaccess)

# Performance: Disable server signature
ServerSignature Off

# Performance: Disable directory browsing
Options -Indexes

# Performance: Follow symbolic links
Options +FollowSymLinks

# Performance: Disable unnecessary modules
<IfModule mod_rewrite.c>
RewriteEngine On
    
# DDoS Protection: Block known attack IP ranges
# Block SYN-Flood Angreifer (131.100.72.x, 131.100.73.x, 131.100.74.x, 131.100.75.x)
RewriteCond %{REMOTE_ADDR} ^131\.100\.7[2345]\.
RewriteRule ^(.*)$ - [F,L]

# Block weitere bekannte Angreifer-IPs
RewriteCond %{REMOTE_ADDR} ^193\.142\.147\.
RewriteRule ^(.*)$ - [F,L]
    
# Redirect to HTTPS (uncomment if you have SSL)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
# Remove trailing slashes
# RewriteCond %{REQUEST_FILENAME} !-d
# RewriteRule ^(.*)/$ /$1 [R=301,L]
</IfModule>

# DDoS Protection: Limit Request Rate
# Note: This requires mod_ratelimit (may not be available in XAMPP)
# For better protection, use Windows Firewall or Apache httpd.conf