# 数据库版本的Apache重写规则
# 保持原有的伪静态功能，但使用数据库鉴权

RewriteEngine On

# 安全设置 - 禁止访问敏感文件和目录
RewriteRule ^\.config/ - [F,L]
RewriteRule ^\.git/ - [F,L]
RewriteRule ^\.env$ - [F,L]
RewriteRule ^composer\.(json|lock)$ - [F,L]
RewriteRule ^package(-lock)?\.json$ - [F,L]

# 禁止直接访问原版鉴权文件
RewriteRule ^auth_check\.php$ - [F,L]

# 允许访问工具目录
RewriteRule ^tools/ - [L]

# 允许访问静态资源和新的目录结构
RewriteRule ^(theme|src|assets|scripts|pages|admin|docs)/ - [L]
RewriteRule \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ - [L]

# 特殊处理xboard的资源路径 - 这些路径需要通过代理访问
RewriteRule ^index\.php/theme/Xboard/assets/ auth_check_db.php [L]

# API路由 - 数据库鉴权相关
RewriteRule ^api/login/?$ auth_check_db.php [L]
RewriteRule ^api/db-test/?$ auth_check_db.php [L]
RewriteRule ^api/config/?$ auth_check_db.php [L]
RewriteRule ^api/user-expiry/?$ auth_check_db.php [L]
RewriteRule ^login/?$ auth_check_db.php [L]

# 代理相关路由 - 需要鉴权（通过auth_check_db.php处理）
RewriteRule ^proxy/?$ auth_check_db.php [L]

# 伪静态路由 - 保持原有功能
# 这些路由会先经过鉴权检查
RewriteRule ^config/?$ auth_check_db.php [L]
RewriteRule ^config\.html/?$ auth_check_db.php [L]
RewriteRule ^settings/?$ auth_check_db.php [L]
RewriteRule ^admin/?$ auth_check_db.php [L]
RewriteRule ^dashboard/?$ auth_check_db.php [L]

# 特殊页面路由
RewriteRule ^503/?$ 503.html [L]
RewriteRule ^error/?$ 503.html [L]

# 根目录访问 - 使用数据库鉴权
RewriteRule ^/?$ auth_check_db.php [L]

# 其他所有请求都经过数据库鉴权检查
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ auth_check_db.php [L]

# 安全头设置
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'"
</IfModule>

# 缓存设置
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
    ExpiresByType font/woff "access plus 1 month"
    ExpiresByType font/woff2 "access plus 1 month"
</IfModule>

# 压缩设置
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

# 错误页面
ErrorDocument 403 /503.html
ErrorDocument 404 /503.html
ErrorDocument 500 /503.html