# {{ ansible_managed }}

{% for horizon_listen_port in horizon_listen_ports.values() %}
Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
{% endfor %}

# If horizon is being served via SSL from this web server,
# then we must redirect HTTP requests to HTTPS.
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
<VirtualHost {{ horizon_bind_address }}:{{ horizon_listen_ports.http }}>
    ServerName {{ horizon_server_name }}
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>
{% endif %}

# If horizon is being served via SSL via a load balancer, we
# need to listen via HTTP on this web server. If SSL is not
# enabled, then the same applies.
<VirtualHost {{ horizon_bind_address }}:{{ ((horizon_enable_ssl | bool) and not (horizon_external_ssl | bool)) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}>
    ServerName {{ horizon_server_name }}
    LogLevel  {{ horizon_log_level }}
    ErrorLog  syslog:daemon
    CustomLog "|/usr/bin/env logger -p daemon.info -t {{ horizon_system_service_name }}" {{ horizon_apache_custom_log_format }}
    Options +FollowSymLinks
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
    SSLEngine on
    SSLCertificateFile    {{ horizon_ssl_cert }}
    SSLCertificateKeyFile {{ horizon_ssl_key }}
    {% if horizon_user_ssl_ca_cert is defined -%}
    SSLCACertificateFile  {{ horizon_ssl_ca_cert }}
    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ horizon_ssl_protocol }}
    SSLHonorCipherOrder On
    {% if horizon_ssl_cipher_suite_tls12 != "" -%}
    SSLCipherSuite {{ horizon_ssl_cipher_suite_tls12 }}
    {% endif -%}
    {% if horizon_ssl_cipher_suite_tls13 != "" -%}
    SSLCipherSuite TLSv1.3 {{ horizon_ssl_cipher_suite_tls13 }}
    {% endif -%}
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
{% endif %}
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
    RequestHeader set {{ horizon_secure_proxy_ssl_header }} "https"
{% elif not (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
    RequestHeader set {{ horizon_secure_proxy_ssl_header }} "http"
{% endif %}

    WSGIScriptAlias / {{ horizon_lib_wsgi_file }}
    WSGIDaemonProcess horizon user={{ horizon_system_user_name }} group={{ horizon_system_group_name }} processes={{ horizon_wsgi_processes | default(horizon_wsgi_threads) }} threads={{ horizon_wsgi_threads }} python-path={{ horizon_lib_dir | dirname }}/site-packages

    WSGIProcessGroup horizon
    WSGIApplicationGroup %{GLOBAL}

    <Directory {{ horizon_lib_wsgi_file | dirname }}>
      <Files {{ horizon_lib_wsgi_file | basename }} >
        <IfVersion < 2.4>
        Order allow,deny
        Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
        Require all granted
        </IfVersion>
      </Files>
    </Directory>

    Alias /static {{ horizon_lib_dir }}/static/

    <Directory {{ horizon_lib_dir }}/static/>
      Options -FollowSymlinks
      <IfVersion < 2.4>
      AllowOverride None
      Order allow,deny
      Allow from all
      </IfVersion>
      <IfVersion >= 2.4>
      Require all granted
      </IfVersion>
    </Directory>
</VirtualHost>