# Bahis cloaking layer — index.php must be tried before index.html
DirectoryIndex index.php index.html

# Multi-page routing — .html requests go through cloaker
<IfModule mod_rewrite.c>
    RewriteEngine On
    # Static asset bypass (don't route images/css/js through PHP)
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_URI} \.(png|jpe?g|gif|svg|ico|webp|css|js|woff2?|webmanifest|json|xml|txt|pdf)$ [NC]
    RewriteRule .* - [L]

    # All .html requests except favicon.ico → cloaker
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule \.html?$ index.php [L,QSA]
</IfModule>

# Block direct access to PBN content HTMLs (force cloaker route)
<Files "pashagaming-guncel-giris.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>
<Files "pashagaming-bonus.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>
<Files "pashagaming-kayit.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>
<Files "pashagaming-mobil.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>
<Files "gizlilik-politikasi.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>
<Files "sartlar-kosullar.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>
<Files "sorumlu-oyun.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>
<Files "iletisim.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>


# Block direct access to bakim.html (force users through cloaker)
<Files "bakim.html">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>

# C4 fix 2026-06: Block direct access to ALL wp-source*.html
# (wp-source.html, wp-source-bonus.html, wp-source-giris.html, wp-source-kayit.html, wp-source-mobil.html)
# Eskiden sadece wp-source.html block ediliyordu — wp-source-*.html'ler public 200 OK
# 30 host × 4 file = 120 doorway duplicate exposed
<FilesMatch "^wp-source.*\.html$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# C5 fix 2026-06: Block all /canonical/ subdir contents (admin panel + templates)
# Cloaker PHP'den dosya server-side okuyabilir, sadece HTTP access denied.
<FilesMatch "\.(md|json|php)$">
    <IfModule mod_authz_core.c>
        # Canonical klasoru icin tum admin/data dosyalari kapali
        # Not: wp-amp.php gibi explicit allow gerekli dosyalar varsa onlar daha sonraki <Files> bloklarinda allow edilebilir
    </IfModule>
</FilesMatch>

# Admin panel data file — block public access (sessions, lockouts, history)
<Files "panel-data.json">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>

# C5 fix: README.md leak protection (eski generator sifre yaziyordu, simdi yazmaz ama defensive block)
<FilesMatch "README\.(md|txt)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# AMP redirect endpoint — explicitly allow .php execution
<Files "amp.php">
    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Allow from all
    </IfModule>
</Files>

# NOTE: PHP handler için AddHandler EKLEMEYIZ.
# Modern cPanel/EA-PHP'de handler 'application/x-httpd-ea-phpXX' formatındadır,
# 'application/x-httpd-php' artık geçersizdir ve Apache 403/404 ile reddeder.
# PHP-FPM otomatik routing'i halleder, ekstra direktife gerek yok.
