RewriteEngine On
# Custom 404 error page
ErrorDocument 404 /404.html
# ── Security Headers ──────────────────────────────────────────
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
# CORS for .torrent files only — ISO served via P2P, not HTTP
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, HEAD, OPTIONS"
# Clean URL: /docs → docs.php
RewriteRule ^docs/?$ /docs.php [L]
# Clean URL: /developers → developers.php
RewriteRule ^developers/?$ /developers.php [L]
# Clean URL: /download → download.php
RewriteRule ^download/?$ /download.php [L]
# Clean URL: /releases → releases.php
RewriteRule ^releases/?$ /releases.php [L]
# Clean URL: /security → security.php
RewriteRule ^security/?$ /security.php [L]
# Clean URL: /apps → apps.php
RewriteRule ^apps/?$ /apps.php [L]
# Clean URL: /compare → compare.php
RewriteRule ^compare/?$ /compare.php [L]
# Clean URL: /about → about.php
RewriteRule ^about/?$ /about.php [L]
# Torrent API proxy (unified seeder on port 3202)
RewriteCond %{REQUEST_URI} ^/torrent-api/
RewriteRule ^torrent-api/(.*)$ http://127.0.0.1:3202/$1 [P,L]
# GoForge — self-hosted Git platform (Gitea on port 3300)
RewriteCond %{REQUEST_URI} ^/forge(/|$)
RewriteRule ^forge(/.*)?$ http://127.0.0.1:3300$1 [P,L]
# WebSocket tracker proxy (tracker on port 3201)
# Browsers connect to wss://alfredlinux.com/announce
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{REQUEST_URI} ^/announce
RewriteRule ^announce(.*)$ ws://127.0.0.1:3201/$1 [P,L]
# HTTP tracker announce (for non-WebSocket clients)
RewriteCond %{REQUEST_URI} ^/announce
RewriteRule ^announce(.*)$ http://127.0.0.1:3201/announce$1 [P,L]