docs(proxy): add Apache httpd example (#4657)

* docs(proxy): add httpd reverse proxy example

* add httpd tab

* add httpd tab

* minor production checklist improvements

docs/docs/guides/manage/self-hosted/production.md

@@ -7,11 +7,11 @@ you are ready to configure ZITADEL for production usage.
 
 ## High Availability
 
-We recommend running ZITADEL highly available using an orchestrator that schedules ZITADEL on multiple servers, like [Kubernetes](/docs/guides/deploy/kubernetes).
+We recommend running ZITADEL highly available using an orchestrator that schedules ZITADEL on multiple servers, like [Kubernetes](/docs/guides/deploy/kubernetes). For keeping startup times fast when scaling ZITADEL, you should also consider using separate jobs with `zitadel init` and `zitadel setup`, so your workload containers just have to execute `zitadel start`.
 
 ## Configuration
 
-Read [on the configure page](/docs/guides/manage/self-hosted/configure) about the available options you have to configure the ZITADEL.
+Read [on the configure page](/docs/guides/manage/self-hosted/configure) about the available options you have to configure ZITADEL.
 
 ## Networking
 
@@ -70,7 +70,7 @@ Projections:
 ## Data Initialization
 
 - You can configure instance defaults in the DefaultInstance section.
-  If you plan to eventually create [multiple virtual instances](/docs/concepts/structure/instance#multiple-virtual-instances), these defaults take effect, too.
+  If you plan to eventually create [multiple virtual instances](/docs/concepts/structure/instance#multiple-virtual-instances), these defaults take effect.
   Also, these configurations apply to the first instance, that ZITADEL automatically creates for you.
   Especially the following properties are of special interest for your production setup.
 
@@ -95,7 +95,7 @@ DefaultInstance:
     FromName:
 ```
 
-- If you don't want to use the DefaultInstance configuration for the first instance that ZITADEL automatically creates for you during the [startup phase](/docs/guides/manage/self-hosted/configure#database-initialization), you can provide a FirstInstance YAML section using the --steps argument.
+- If you don't want to use the DefaultInstance configuration for the first instance that ZITADEL automatically creates for you during the [setup phase](/docs/guides/manage/self-hosted/configure#database-initialization), you can provide a FirstInstance YAML section using the --steps argument.
 - Learn how to configure ZITADEL via the [Console user interface](/docs/guides/manage/console/overview).
-- Probably, you also want [apply your custom branding](/docs/guides/manage/customize/branding), [hook into certain events](/docs/guides/manage/customize/behavior), [customize texts](/docs/guides/manage/customize/texts) or [add metadata to your users](/docs/guides/manage/customize/user-metadata)
+- Probably, you also want to [apply your custom branding](/docs/guides/manage/customize/branding), [hook into certain events](/docs/guides/manage/customize/behavior), [customize texts](/docs/guides/manage/customize/texts) or [add metadata to your users](/docs/guides/manage/customize/user-metadata).
-- If you want to automatically setup ZITADEL resources, you can use the [ZITADEL Terraform Provider](/docs/guides/manage/terraform/basics)
+- If you want to automatically create ZITADEL resources, you can use the [ZITADEL Terraform Provider](/docs/guides/manage/terraform/basics).

docs/docs/guides/manage/self-hosted/reverseproxy/_caddy.mdx

@@ -1,6 +1,6 @@
 ## TLS mode external
 
-```bash
+```
 https://localhost {
         reverse_proxy h2c://localhost:8080
         tls internal #only non production
@@ -9,7 +9,7 @@ https://localhost {
 
 ## TLS mode enabled
 
-```bash
+```
 https://localhost {
         reverse_proxy https://localhost:8080
         tls internal #only non production
@@ -18,7 +18,7 @@ https://localhost {
 
 ## TLS mode disabled
 
-```bash
+```
 http://localhost {
         reverse_proxy h2c://localhost:8080
 }

docs/docs/guides/manage/self-hosted/reverseproxy/_httpd.mdx

@@ -0,0 +1,166 @@
+## TLS mode external
+
+```
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule proxy_http2_module modules/mod_proxy_http2.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule rewrite_module modules/mod_rewrite.so
+
+ServerRoot "/usr/local/apache2"
+LogLevel warn
+ErrorLog /proc/self/fd/2
+CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
+
+ServerName my.domain
+Listen 80
+Listen 443
+
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+
+<VirtualHost *:80>
+    ServerName my.domain
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName my.domain
+    ProxyPreserveHost On
+    SSLCertificateFile /certs/server.crt
+    SSLCertificateKeyFile /certs/server.key
+    ProxyPass / h2c://localhost:8080/
+    ProxyPassReverse / h2c://localhost:8080/
+</VirtualHost>
+```
+
+## TLS mode enabled
+
+```
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule proxy_http2_module modules/mod_proxy_http2.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule http2_module modules/mod_http2.so
+
+ServerRoot "/usr/local/apache2"
+LogLevel debug
+ErrorLog /proc/self/fd/2
+CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
+
+ServerName my.domain
+Listen 80
+Listen 443
+
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+
+<VirtualHost *:80>
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+</VirtualHost>
+
+<VirtualHost *:443>
+    ProxyPreserveHost On
+    SSLEngine on
+    SSLProxyEngine on
+    SSLCertificateFile /certs/server.crt
+    SSLCertificateKeyFile /certs/server.key
+    ProxyPass / h2://localhost:8080/
+</VirtualHost>
+```
+
+## TLS mode disabled
+
+```
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule proxy_http2_module modules/mod_proxy_http2.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule rewrite_module modules/mod_rewrite.so
+
+ServerRoot "/usr/local/apache2"
+LogLevel warn
+ErrorLog /proc/self/fd/2
+CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
+
+ServerName my.domain
+Listen 80
+
+<VirtualHost *:80>
+    ServerName my.domain
+    ProxyPreserveHost On
+    ProxyPass / h2c://localhost:8080/
+    ProxyPassReverse / h2c://localhost:8080/
+</VirtualHost>
+```

docs/docs/guides/manage/self-hosted/reverseproxy/_nginx.mdx

@@ -1,6 +1,6 @@
 ## TLS mode external
 
-```bash
+```
 worker_processes  1;
 events {
     worker_connections  1024;
@@ -12,7 +12,7 @@ http {
 
         ssl_certificate     ssl/certificate.pem;
         ssl_certificate_key ssl/key.pem;
- 
+
         location / {
             grpc_pass grpc://localhost:8080;
             grpc_set_header Host $host;
@@ -33,7 +33,7 @@ with
 
 ## TLS mode enabled
 
-```bash
+```
 worker_processes  1;
 events {
     worker_connections  1024;
@@ -45,7 +45,7 @@ http {
 
         ssl_certificate     ssl/certificate.pem;
         ssl_certificate_key ssl/key.pem;
- 
+
         location / {
             grpc_pass grpcs://localhost:8080;
             grpc_set_header Host $host;
@@ -66,7 +66,7 @@ with
 
 ## TLS mode disabled
 
-```bash
+```
 worker_processes  1;
 events {
     worker_connections  1024;
@@ -75,7 +75,7 @@ events {
 http {
     server {
         listen 80;
- 
+
         location / {
             grpc_pass grpc://localhost:8080;
             grpc_set_header Host $host;

docs/docs/guides/manage/self-hosted/reverseproxy/reverse_proxy.mdx

@@ -8,6 +8,7 @@ import Zcloud from "./_zitadel_cloud.mdx";
 import Nginx from "./_nginx.mdx";
 import Traefik from "./_traefik.mdx";
 import Caddy from "./_caddy.mdx";
+import Httpd from "./_httpd.mdx";
 import Cftunnel from "./_cloudflare_tunnel.mdx";
 import Cloudflare from "./_cloudflare.mdx";
 import More from "./_more.mdx";
@@ -22,6 +23,7 @@ import More from "./_more.mdx";
     { label: "NGINX", value: "nginx" },
     { label: "Traefik", value: "traefik" },
     { label: "Caddy", value: "caddy" },
+    { label: "Apache httpd", value: "httpd" },
     { label: "Cloudflare Tunnel", value: "cftunnel" },
     { label: "Cloudflare", value: "cf" },
   ]}
@@ -42,6 +44,10 @@ import More from "./_more.mdx";
     <Caddy />
     <More />
   </TabItem>
+  <TabItem value="httpd">
+    <Httpd />
+    <More />
+  </TabItem>
   <TabItem value="cftunnel">
     <Cftunnel />
     <More />