# DBErp Apache 伪静态
# DocumentRoot 必须指向 DBErp 的 public 目录

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # 保留 HTTPS 证书验证路径
    RewriteRule ^\.well-known/acme-challenge/ - [L]

    # 禁止访问隐藏文件/目录，但保留 .well-known
    RewriteRule ^(.*/)?\.(?!well-known(?:/|$)).* - [F,L]

    # 禁止直接访问常见敏感文件
    RewriteRule ^(?:\.env|composer\.(?:json|lock)|package(?:-lock)?\.json|yarn\.lock|pnpm-lock\.yaml|vite\.config\.(?:js|ts)|artisan|phpunit\.xml)$ - [F,L]

    # 禁止访问备份/数据库/临时文件
    RewriteRule \.(?:sql|bak|backup|old|orig|save|swp)$ - [F,L]

    # Authorization Header，供 API / Sanctum 等使用
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # X-XSRF-Token Header，供 Livewire / Filament 使用
    RewriteCond %{HTTP:X-XSRF-Token} .
    RewriteRule .* - [E=HTTP_X_XSRF_TOKEN:%{HTTP:X-XSRF-Token}]

    # 去掉非目录请求的多余尾斜杠
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # 私有附件签名链接统一交给 Laravel 路由处理
    RewriteRule ^private-storage/ index.php [L,QSA]

    # Laravel front controller
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 12 hours"
    ExpiresByType application/javascript "access plus 12 hours"
    ExpiresByType text/javascript "access plus 12 hours"
</IfModule>

<IfModule mod_headers.c>
    <FilesMatch "\.(?:css|js)$">
        Header set Cache-Control "public, max-age=43200"
    </FilesMatch>
</IfModule>
