# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN

<VirtualHost *:80>
	ServerName matrix.DOMAIN

	# You may wish to handle the /.well-known/acme-challenge paths here somehow,
	# if you're using ACME (Let's Encrypt) certificates.

	Redirect permanent / https://matrix.DOMAIN/
</VirtualHost>

# Client-Server API
<VirtualHost *:443>
	ServerName matrix.DOMAIN

	SSLEngine On

	# If you manage SSL certificates by yourself, these paths will differ.
	SSLCertificateFile /path/to/matrix.DOMAIN/fullchain.pem
	SSLCertificateKeyFile /path/to/matrix.DOMAIN/privkey.pem

	SSLProxyEngine on
	SSLProxyProtocol +TLSv1.2 +TLSv1.3
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

	ProxyPreserveHost On
	ProxyRequests Off
	ProxyVia On
	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

	AllowEncodedSlashes NoDecode
	ProxyPass / http://127.0.0.1:81/ retry=0 nocanon
	ProxyPassReverse / http://127.0.0.1:81/

	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
</VirtualHost>

# Server-Server (federation) API
Listen 8448
<VirtualHost *:8448>
	ServerName matrix.DOMAIN

	SSLEngine On

	# If you manage SSL certificates by yourself, these paths will differ.
	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

	SSLProxyEngine on
	SSLProxyProtocol +TLSv1.2 +TLSv1.3
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

	ProxyPreserveHost On
	ProxyRequests Off
	ProxyVia On
	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

	AllowEncodedSlashes NoDecode
	ProxyPass / http://127.0.0.1:8449/ retry=0 nocanon
	ProxyPassReverse / http://127.0.0.1:8449/

	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
</VirtualHost>