<VirtualHost _default_:443>


        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Directory permissions and options
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/html>
                Options FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>


        <Directory /var/www/html/appsuite>
                Options None +SymLinksIfOwnerMatch
                AllowOverride Indexes FileInfo
        </Directory>


        # Rewrite
        RewriteEngine On


        # Redirect requests from /


        RedirectMatch ^/$ /appsuite/


        # TLS
        SSLEngine on
        # Consider deploying a trusted TLS certificate
        SSLCertificateFile /opt/open-xchange/certs/frontend.crt
        SSLCertificateKeyFile /opt/open-xchange/certs/frontend.key

        #SSLCertificateFile {{env "APACHE_SSL_CRT"}} 
        #SSLCertificateKeyFile {{env "APACHE_SSL_KEY"}} 
        
        SSLHonorCipherOrder on
        SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL
        SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2


        # Security related headers
        Header always set X-Content-Type-Options "nosniff"
        Header always set X-Frame-Options "SAMEORIGIN"
        Header always set X-XSS-Protection "1; mode=block"
        Header always set X-Download-Options "noopen"
        Header always set X-Permitted-Cross-Domain-Policies "none"
        Header unset Server

        # GZip compression is enabled by default for faster content transfer. Consider disabling mod_deflate to mitigate BREACH


        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

        # Add HPKP PINs here
        #Header always set Public-Key-Pins "pin-sha256="PIN1"; pin-sha256="PIN2"; max-age=2592000; includeSubDomains"


        # OCSP Staping requires a TLS certificate with issuer information, consider getting a trusted certificate
        #SSLUseStapling On
        # Setting ECDH Parameters requires OpenSSL 1.0.2 or later, uncomment if available
        #SSLOpenSSLConfCmd ECDHParameters secp384r1


        <Directory "/var/www/html/">


        # Rewrite DAV Client requests to DAV servlet
        RewriteCond %{HTTP_USER_AGENT}      Calendar           [OR]
        RewriteCond %{HTTP_USER_AGENT}      Reminders          [OR]
        RewriteCond %{HTTP_USER_AGENT}      DataAccess         [OR]
        RewriteCond %{HTTP_USER_AGENT}      DAVKit             [OR]
        RewriteCond %{HTTP_USER_AGENT}      Lightning          [OR]
        RewriteCond %{HTTP_USER_AGENT}      Adresboek          [OR]
        RewriteCond %{HTTP_USER_AGENT}      dataaccessd        [OR]
        RewriteCond %{HTTP_USER_AGENT}      Preferences        [OR]
        RewriteCond %{HTTP_USER_AGENT}      Adressbuch         [OR]
        RewriteCond %{HTTP_USER_AGENT}      AddressBook        [OR]
        RewriteCond %{HTTP_USER_AGENT}      Address\ Book      [OR]
        RewriteCond %{HTTP_USER_AGENT}      CalendarStore      [OR]
        RewriteCond %{HTTP_USER_AGENT}      CalendarAgent      [OR]
        RewriteCond %{HTTP_USER_AGENT}      accountsd          [OR]
        RewriteCond %{HTTP_USER_AGENT}      eM\ Client         [OR]
        RewriteCond %{HTTP_USER_AGENT}      OX\ Sync           [OR]
        RewriteCond %{HTTP_USER_AGENT}      CoreDAV


        RewriteRule (.*) http://localhost:8009/servlet/dav/$1     [P]
        </Directory>


        # Logging
        LogLevel warn


        # ErrorLog ${APACHE_LOG_DIR}/ox-https-error.log
        # CustomLog ${APACHE_LOG_DIR}/ox-https-access.log combined

</VirtualHost>