{
    # vim: ft=perl:

    $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';
    $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
    $plainPort = ${'httpd-e-smith'}{TCPPort} || '80';
    $adminPort2 = ${'smanager'}{TCPPort} || '982';
    $adminAccess = ${'smanager'}{access} || 'private';
    $sslPort = ${modSSL}{TCPPort} || '443';

    $OUT = '';

    foreach $place ('smanager')
    {
        if (($port eq $plainPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
        {
            $OUT .= '    RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$' . "\n";
            $OUT .= "    RewriteRule ^/$place(/.*|\$)    https://%{HTTP_HOST}/$place\$1 [L,R]\n";
            $OUT .= "\n";
	}
        $OUT .= "    RewriteRule ^/$place\$   https://%{HTTP_HOST}/$place/ [L,R]\n\n";

        $OUT .= "    ProxyRequests Off\n";
        $OUT .= "    ProxyPreserveHost On\n";
        $OUT .= "    ProxyPass /$place http://127.0.0.1:$adminPort2 keepalive=On\n";
        $OUT .= "    ProxyPassReverse /$place http://127.0.0.1:$adminPort2\n";
        $OUT .= "    RequestHeader set X-Forwarded-Proto 'http'\n";

        $OUT .= "    <Location '/$place'>\n";
        if ($port eq $plainPort)
        {
            $OUT .= '        Require ip 127.0.0.1' . "\n";
        }
        elsif (($haveSSL eq 'yes') && ($port eq $sslPort) && ($adminAccess eq 'public'))
        {
            $OUT .= "#       public access requested in conf db\n";
            $OUT .= "        Require all granted\n";
        } else {
            $OUT .= "#       private access by default\n";
            $OUT .= "        Require ip $localAccess $externalSSLAccess\n";
        }
        # any smanager script or style added in line should be hashed and added here to run in a modern browser
        $OUT .= "                   Header set Content-Security-Policy  \"script-src 'self' 'unsafe-eval' 'unsafe-hashes' "
        ." 'sha256-X8Qwlk0M9iDTQZqFVpbVcThRjBqQXpwTOZCLX8I+Frk=' 'sha256-inQ04nmqTZI75Z5g/tAzjahedNugPFfrhxHyoFezFkM=' 'sha256-5IsIX+Vbow7wwy2RjR3+5X06R/0CQZPkw3OHj/228cM=' 'sha256-tfVskwioRaNsV75h89itf7FujMgIrodfs1Ea4UAJNpE=' 'sha256-P51OyslUh5bGkoWk9qY+o4Su4HuwNFoQcFCeNxF7Ms8=' ; "
        ." style-src 'self'  'unsafe-hashes' "
        #'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' #h2l1
        #'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' #busy-indicator
        #'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' _footer.html.ep style="position:relative;"
        #'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' _usr_list style="min-width:35em"
        #'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' groups style="min-width:15em"
        ." 'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' 'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM='  'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' 'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' 'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' ;"
	." \"\n"; 
	$OUT .= "    </Location>\n";
        # prevent caching of manager files in browser
        $OUT .= "   <LocationMatch \"/$place/.+\.(html|cgi)\$\">\n";
        $OUT .= "                   Header set Cache-Control no-store\n";
        $OUT .= "   </LocationMatch>\n";

    }
}
