# =============================================================================
# Vita Server — root .htaccess for subdirectory deployment.
#
# Layouts this file supports (both work — pick one in cPanel):
#
#   A) Subdomain → docroot at the project root's parent. Example:
#        URL:       https://api.vitatec.io/vita-server/
#        Filesystem: public_html/api.vitatec.io/vita-server/
#
#   B) Same domain as a subdirectory under the main site. Example:
#        URL:       https://vitatec.io/vita-server/
#        Filesystem: public_html/vita-server/
#
# This file rewrites every request inside the vita-server/ directory to
# public/index.php while blocking direct access to source code folders.
# Combined with vita-server/public/.htaccess it produces the same routing
# behavior as pointing the docroot directly at vita-server/public/ would,
# but works on shared hosting where you cannot reconfigure DocumentRoot.
#
# The rewrite rules are deliberately RELATIVE so the same .htaccess works
# in either layout without any path-specific edits.
# =============================================================================

# =============================================================================
# Force PHP 8.1+ in case the host's PHP Selector (CloudLinux alt-php) defaults
# to PHP 7.x. Vita Server / Laravel 10 require PHP 8.1.0 or newer.
#
# These lines are safe to keep across all standard cPanel + EasyApache + Plesk
# setups. They only take effect when the matching handler is registered; if it
# isn't, the host's default PHP version is used (and you'll see a Composer
# platform error if that default is < 8.1).
#
# If you see "Composer detected issues in your platform" anyway, switch PHP
# Version in cPanel > Select PHP Version (CloudLinux PHP Selector) to 8.1+.
# =============================================================================
<IfModule lsapi_module>
    AddHandler application/x-httpd-ea-php83 .php .php83
    AddHandler application/x-httpd-ea-php82 .php82
    AddHandler application/x-httpd-ea-php81 .php81
</IfModule>
AddHandler application/x-httpd-ea-php83 .php

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block direct access to Laravel source folders even if the rewrite below
    # is bypassed (defense in depth).
    RewriteRule ^(app|bootstrap|config|database|resources|routes|storage|tests|vendor)(/|$) - [F,L]

    # Block dotfiles (.env, .git, .htaccess itself is served by Apache directly).
    RewriteRule ^\. - [F,L]

    # No-shell web installer: serve public/install.php when the user requests
    # /vita_server/install.php. Without this rule the catch-all rewrite below
    # would hand the request to Laravel, which has no install.php route and
    # would 404.
    RewriteRule ^install\.php$ public/install.php [L]

    # If the request already targets public/, leave it alone — the Laravel
    # .htaccess inside public/ takes over from here.
    RewriteCond %{REQUEST_URI} /public/
    RewriteRule .* - [L]

    # Catch-all: forward every request that isn't an existing file or
    # directory into public/index.php so Laravel sees the original
    # PATH_INFO / REQUEST_URI. No filesystem-path hard-coding, so the same
    # rule works for both layouts described in the header.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ public/index.php [L]
</IfModule>

# =============================================================================
# Directory listing protection (defense in depth).
#
# These three directives each block directory listings via a different
# mechanism. At least one of them is honored on every cPanel + LiteSpeed
# config I have ever seen. If your host strips ALL of them, drop the
# accompanying index.html files into each sensitive directory (already
# shipped in _index_dropins/index.html) and let Apache serve those
# instead of an index page.
# =============================================================================
Options -Indexes
IndexIgnore *
<IfModule mod_autoindex.c>
    IndexIgnore *
</IfModule>

# Front controller selection. index.php at the root forwards to Laravel via
# public/index.php; that is what gets served when somebody hits /vita-server/.
DirectoryIndex index.php public/index.php

# Block sensitive files outright (Apache 2.4+ syntax).
<FilesMatch "^(\.env|\.env\..*|composer\.(json|lock)|package(-lock)?\.json|artisan|server\.php|.*\.md|.*\.sql)$">
    Require all denied
</FilesMatch>

# Belt-and-braces for hosts that ignore <FilesMatch>: block by URL pattern.
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^(\.env|composer\.(json|lock)|artisan|README\.md|DEPLOY-NO-SHELL\.md|database/dumps/.*\.sql)$ - [F,L,NC]
</IfModule>
