RewriteEngine On

ErrorDocument 404 /pages-404.php
ErrorDocument 500 /pages-500.php

# Force HTTPS safely (Cloudflare / reverse proxy compatible)
# IMPORTANT: Do NOT redirect when a proxy already served HTTPS to the client.
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteCond %{HTTP:CF-Visitor} !\"scheme\":\"https\" [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ==== UDID Profile Service: DO NOT REWRITE these endpoints ====
RewriteRule ^(processes_data|get_mobileconfig|download_mobileconfig|install|db_test|health)\.php$ - [L]

# ==== Disable gzip/deflate for profile traffic (iOS is picky) ====
<IfModule mod_deflate.c>
  SetEnvIfNoCase Request_URI "\.mobileconfig$" no-gzip dont-vary
  SetEnvIfNoCase Request_URI "processes_data\.php$" no-gzip dont-vary
  SetEnvIfNoCase Request_URI "download_mobileconfig\.php$" no-gzip dont-vary
  SetEnvIfNoCase Request_URI "get_mobileconfig\.php$" no-gzip dont-vary
  SetEnvIfNoCase Request_URI "install\.php$" no-gzip dont-vary
  SetEnvIfNoCase Request_URI "db_test\.php$" no-gzip dont-vary
  SetEnvIfNoCase Request_URI "health\.php$" no-gzip dont-vary
</IfModule>

# ==== If ModSecurity blocks binary POST, disable ONLY for processes_data.php ====
<IfModule mod_security2.c>
  <Files "processes_data.php">
    SecRuleEngine Off
  </Files>
</IfModule>


# Legacy route suffix -> unitoreios (301)
RewriteRule ^(.+)\.(?:quangmodgame)$ $1.unitoreios [R=301,L,NC]

# Unitoreios routes
RewriteRule ^admin\.unitoreios$ admin-dashboard.php [L]
RewriteRule ^trang\-chu\.unitoreios$ index.php [L]
RewriteRule ^danh\-sach\-thiet\-bi\.unitoreios$ list-device.php [L]
RewriteRule ^danh\-sach\-key\.unitoreios$ list-key.php [L]
RewriteRule ^danh\-sach\-package\.unitoreios$ list-deb.php [L]
RewriteRule ^lich\-su\-key\.unitoreios$ get-history.php [L]
RewriteRule ^dangky\.unitoreios$ auth-register.php [L]
RewriteRule ^dangnhap\.unitoreios$ auth-login.php [L]
RewriteRule ^tao\-package\.unitoreios$ tao-package.php [L]
RewriteRule ^doi\-mat\-khau\.unitoreios$ auth-change-password.php [L]
RewriteRule ^sua\-post\.unitoreios$ edit-post.php [L]
RewriteRule ^nang\-cap\.unitoreios$ pages-pricing.php [L]
RewriteRule ^edit\-users\.unitoreios$ edit-memberinfo.php [L]

RewriteRule ^admin\-device\.unitoreios$ admin-list-device.php [L]
RewriteRule ^admin\-key\.unitoreios$ admin-list-key.php [L]
RewriteRule ^admin\-package\.unitoreios$ admin-list-deb.php [L]
RewriteRule ^admin\-member\.unitoreios$ admin-list-member.php [L]
RewriteRule ^admin\-post\.unitoreios$ admin-list-post.php [L]
RewriteRule ^admin\-blog\.unitoreios$ admin-list-blog.php [L]
RewriteRule ^admin\-thong\-bao\.unitoreios$ admin-list-notifications.php [L]
RewriteRule ^admin\-server\.unitoreios$ admin-server.php [L]

# Short aliases
RewriteRule ^home\.html$ index.php [L]
RewriteRule ^dashboard$ index.php [L]
RewriteRule ^danh\-sach\-thiet\-bi$ list-device.php [L]
RewriteRule ^danh\-sach\-key$ list-key.php [L]
RewriteRule ^danh\-sach\-package$ list-deb.php [L]
RewriteRule ^lich\-su\-key$ get-history.php [L]

# Remove .php extension (only if matching .php file exists)
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.+?)/?$ $1.php [L]

# Protect sensitive files
<FilesMatch "^\.(ht|env)">
    Require all denied
</FilesMatch>

<If "%{QUERY_STRING} =~ /ConCacDDoS/">
    Require all denied
</If>

# Serve iOS configuration profiles correctly
AddType application/x-apple-aspen-config .mobileconfig

<IfModule mod_headers.c>
  <FilesMatch "\.mobileconfig$">
    Header set Content-Type "application/x-apple-aspen-config"
    Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
    Header set Pragma "no-cache"
    Header set X-Content-Type-Options "nosniff"
  </FilesMatch>
</IfModule>

# ==== LiteSpeed Cache: disable for UDID endpoints (avoid serving stale/HTML cached responses) ====
<IfModule LiteSpeed>
  CacheDisable public /processes_data.php
  CacheDisable public /get_mobileconfig.php
  CacheDisable public /download_mobileconfig.php
  CacheDisable public /install.php
</IfModule>


# Unitoreios: disable caching/compression for debugging endpoints
<IfModule mod_headers.c>
  <FilesMatch "^(db_test|health)\.php$">
    Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
    Header set Pragma "no-cache"
  </FilesMatch>
</IfModule>
