fix: add ws:// ProxyPass for /claudomator/api/ws; track Apache vhost in repo

Apache's catch-all ProxyPass / uses plain HTTP — mod_proxy_wstunnel
only activates on explicit ws:// rules. Without this, the Upgrade
header was dropped for Claudomator WebSocket connections.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

1 files changed, 46 insertions, 0 deletions

diff --git a/deploy/apache/doot.terst.org-le-ssl.conf b/deploy/apache/doot.terst.org-le-ssl.conf
new file mode 100644
index 0000000..fca14c5
--- /dev/null
+++ b/deploy/apache/doot.terst.org-le-ssl.conf
@@ -0,0 +1,46 @@
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerAdmin webmaster@terst.org
+  ServerName doot.terst.org
+
+  DocumentRoot /site/doot.terst.org/public
+  <Directory />
+    Options FollowSymLinks
+    AllowOverride None
+  </Directory>
+  <Directory /site/doot.terst.org/public/>
+    Options -Indexes +FollowSymLinks
+    AllowOverride None
+    Require all granted
+
+    # Cache static assets
+    <FilesMatch "\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2)$">
+        Header set Cache-Control "max-age=31536000, public"
+    </FilesMatch>
+  </Directory>
+
+  # Static files served by Apache
+  Alias /static /site/doot.terst.org/public
+
+  # WebSocket support (Requires mod_proxy_wstunnel)
+  # Must be placed BEFORE the generic ProxyPass /
+  ProxyPass /ws/ ws://127.0.0.1:38080/ws/
+  ProxyPassReverse /ws/ ws://127.0.0.1:38080/ws/
+  ProxyPass /claudomator/api/ws ws://127.0.0.1:38080/claudomator/api/ws
+  ProxyPassReverse /claudomator/api/ws ws://127.0.0.1:38080/claudomator/api/ws
+
+
+
+  # Proxy all other requests to Go application
+  ProxyPreserveHost On
+  
+
+  ProxyPass /static !
+  ProxyPass / http://127.0.0.1:38080/
+  ProxyPassReverse / http://127.0.0.1:38080/
+
+  Include /etc/letsencrypt/options-ssl-apache.conf
+  SSLCertificateFile /etc/letsencrypt/live/terst.org-0001/fullchain.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/terst.org-0001/privkey.pem
+</VirtualHost>
+</IfModule>