{
    # vim: ft=perl:

    $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';
    $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';

    $OUT = '';
    foreach $place ('server-manager','server-common','user-password')
    {
        if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
        {
            $OUT .= '    RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$' . "\n";
            $OUT .= "    RewriteRule ^/$place(/.*|\$)    https://%{HTTP_HOST}/$place\$1 [L,R]\n";
        }
	if ($port eq $httpsPort)
	{
            # mod_auth_tkt needs to know the protocol to write  307 redirection
	    $OUT .= "    RequestHeader set X-Forwarded-Proto \"https\"\n";
	}
        $OUT .= "    ProxyPass /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";
        $OUT .= "    ProxyPassReverse /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";

        $OUT .= "    <Location /$place>\n";
        if ($port eq $httpPort)
        {
            $OUT .= '        Require ip 127.0.0.1' . "\n";
        }
        elsif (($haveSSL eq 'yes') && (($port eq $httpsPort) || ($plainTextAccess ne 'yes')))
        {
            $OUT .= "        Require ip  $localAccess $externalSSLAccess\n";
        } else {
            $OUT .= "        Require ip $localAccess\n";
        }

        # any server-manager script or style added in line should be hashed and added here to run in a modern browser
        $OUT .= "                   Header set Content-Security-Policy  \"script-src 'self' https://$virtualHost 'unsafe-hashes' "
        ." 'sha256-bu1Wbll/1+gfjCxVn9czXKc7IhIJRjJgNFdNltH+09c=' 'sha256-MQmv1rIdRtr7sC3167eTWkTNMSq5QzWRPxhOzKUtvKg=' 'sha256-DuDis7gGgnegJBjroiLOJwY+DvfilQsYswIXb6lNE8c=' 'sha256-FengF4xZO+fXC/zBgGGYYPLtc95CEZAk+vS7A9OR64o='  ;"
        ." style-src 'self' https://$virtualHost 'unsafe-hashes' "
        ." 'sha256-ABT3Vs4q5dwUnsKaFzA38LnsL3426dj6CkNKRofyqjA=' 'sha256-upqzRUpu+M2pCK19HHLg5oUeQnpEXij9kojuDNdJnGc=' 'sha256-sa1JolVbZz72+sa0pOWp/LBIoZfF9P1N8Gzy5u3C3Qc=' 'sha256-q9xrwNUn7ieRndtLNP/uNCEBKXjzTzvZv1fddtmMK9w=' ;"
        ." script-src-attr 'self' https://$virtualHost 'unsafe-hashes' "
				." 'sha256-QgFUvJuzASZ+WbF57Vn8eQoWvuBJ78nF7YMraPzQVvg='"
				." 'sha256-PfZto86YdtwDnXr1I+X5mM0Csdjs8jFCBiSs6dFVR50='" # login getFocus()
        ." \"\n"; 

        $OUT .= "    </Location>\n";
    }
}
