ClickerZ/deploy/clickerz.tetardtek.com.conf

# Apache vhost — clickerz.tetardtek.com
# Frontend: static build served from /var/www/clickerz
# Backend API: reverse proxy to pm2 on port 3310

<VirtualHost *:80>
    ServerName clickerz.tetardtek.com
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName clickerz.tetardtek.com

    # SSL (certbot)
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/clickerz.tetardtek.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/clickerz.tetardtek.com/privkey.pem

    # Frontend — SPA static files
    DocumentRoot /var/www/clickerz
    <Directory /var/www/clickerz>
        Options -Indexes +FollowSymLinks
        AllowOverride None
        Require all granted

        # SPA fallback — all non-file routes → index.html
        RewriteEngine On
        RewriteBase /
        RewriteRule ^index\.html$ - [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.html [L]
    </Directory>

    # Backend API — reverse proxy
    ProxyPreserveHost On
    ProxyPass /api http://127.0.0.1:3310/api
    ProxyPassReverse /api http://127.0.0.1:3310/api

    # Security headers
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</VirtualHost>