From 66e1d97646cf5d90f6bc508aeb3be09ab89620b7 Mon Sep 17 00:00:00 2001
From: Frank Breedijk <frank@breedijk.net>
Date: Fri, 7 Jun 2024 10:59:20 +0200
Subject: [PATCH] Fix vhosting issues

---
 deploy/.htaccess | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/deploy/.htaccess b/deploy/.htaccess
index 8b0d935..f6d298f 100644
--- a/deploy/.htaccess
+++ b/deploy/.htaccess
@@ -1,3 +1,11 @@
+# Detect HTTPS
+
+SetEnvIfNoCase X-HTTPS-Session Yes is_ssl=yes
+SetEnvIfNoCase X-HTTPS-Session Yes is_https=yes
+SetEnvIfNoCase X-HTTPS-Session Yes HTTPS=on
+
+# Security headers
+
 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
 Header always append X-Frame-Options DENY
 Header set X-Content-Type-Options nosniff
@@ -5,3 +13,23 @@ Header set X-XSS-Protection "1; mode=block"
 Header set Content-Security-Policy "default-src 'none'; font-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; connect-src 'self';"
 
 Header always set Referrer-Policy "same-origin"
+
+# Error document
+ErrorDocument 404 /404.html
+
+# Redirect http -> https
+RewriteCond %{HTTP:X-HTTPS-SESSION} !^yes$
+RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,QSA]
+
+# Block requests not for divd.club
+RewriteCond %{HTTP_HOST} !^www.divd.nl
+RewriteRule (.*) - [r=404]
+
+# Handle requests to directories without trailing slash
+RewriteCond %{REQUEST_FILENAME} -d
+RewriteRule (.*[^\/])$ https://www.divd.club/$1/ [L,r=301,QSA]
+
+# Redirect requests directly to https://csirt.divd.nl/csirt-divd-nl/...
+RewriteCond %{THE_REQUEST} ^\w+\s+/?divd-club
+RewriteRule (.*) https://www.divd.club/$1 [L,r=301,QSA]
+