diff --git a/full_install.sh b/full_install.sh
new file mode 100644
index 000000000..afac8a4fd
--- /dev/null
+++ b/full_install.sh
@@ -0,0 +1,195 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# =========================
+# Configurable variables
+# =========================
+DOMAIN="speedtest.sarkernet.com.bd"
+EMAIL="admin@sarkernet.com.bd"   # Used for Let's Encrypt registration and renewal notices
+WEBROOT="/var/www/html/speedtest"
+APACHE_USER="www-data"
+APACHE_GROUP="www-data"
+USE_STAGING="false"              # true = staging certs, false = production
+
+# =========================
+# Helper functions
+# =========================
+log() { echo -e "\e[32m[+] $*\e[0m"; }
+warn() { echo -e "\e[33m[!] $*\e[0m"; }
+err() { echo -e "\e[31m[!] $*\e[0m" >&2; }
+
+require_root() {
+  if [[ "${EUID}" -ne 0 ]]; then
+    err "Run as root (use: sudo $0)"
+    exit 1
+  fi
+}
+
+detect_apt() {
+  if ! command -v apt-get >/dev/null 2>&1; then
+    err "This script supports Debian/Ubuntu only."
+    exit 1
+  fi
+}
+
+# =========================
+# System setup
+# =========================
+update_system() {
+  log "Updating system packages..."
+  apt-get update -y && apt-get upgrade -y
+}
+
+install_packages() {
+  log "Installing Apache, PHP, Certbot, and required packages..."
+  DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    apache2 php libapache2-mod-php unzip git \
+    openssl certbot python3-certbot-apache curl dnsutils
+}
+
+configure_firewall() {
+  if command -v ufw >/dev/null 2>&1; then
+    log "Configuring UFW to allow HTTP/HTTPS..."
+    ufw allow 80/tcp || true
+    ufw allow 443/tcp || true
+  else
+    warn "UFW not found; ensure ports 80 and 443 are open."
+  fi
+}
+
+enable_apache_modules() {
+  log "Enabling Apache modules..."
+  a2enmod ssl headers rewrite || true
+}
+
+# =========================
+# Deploy LibreSpeed
+# =========================
+deploy_librespeed() {
+  log "Downloading LibreSpeed..."
+  cd /tmp
+  rm -rf speedtest || true
+  git clone https://github.com/librespeed/speedtest.git
+
+  log "Deploying LibreSpeed files to ${WEBROOT}..."
+  mkdir -p "${WEBROOT}"
+  cp speedtest/index.html speedtest/speedtest.js speedtest/speedtest_worker.js speedtest/favicon.ico "${WEBROOT}/"
+  cp -r speedtest/backend "${WEBROOT}/"
+  cp -r speedtest/results "${WEBROOT}/"
+
+  log "Setting permissions..."
+  chown -R "${APACHE_USER}:${APACHE_GROUP}" "${WEBROOT}"
+  chmod -R 755 "${WEBROOT}"
+}
+
+# =========================
+# Apache VirtualHost + SSL
+# =========================
+create_http_vhost() {
+  local vhost="/etc/apache2/sites-available/${DOMAIN}.conf"
+  log "Creating Apache HTTP vhost..."
+  cat > "${vhost}" <<EOF
+<VirtualHost *:80>
+    ServerName ${DOMAIN}
+    ServerAdmin ${EMAIL}
+    DocumentRoot ${WEBROOT}
+
+    <Directory ${WEBROOT}>
+        Options Indexes FollowSymLinks
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    Alias /.well-known/acme-challenge/ ${WEBROOT}/.well-known/acme-challenge/
+    <Directory ${WEBROOT}/.well-known/acme-challenge/>
+        Options None
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    ErrorLog \${APACHE_LOG_DIR}/${DOMAIN}-error.log
+    CustomLog \${APACHE_LOG_DIR}/${DOMAIN}-access.log combined
+</VirtualHost>
+EOF
+
+  a2ensite "${DOMAIN}.conf" || true
+}
+
+reload_apache() {
+  log "Testing and reloading Apache..."
+  apache2ctl -t
+  systemctl reload apache2
+  systemctl enable apache2
+}
+
+obtain_certificate() {
+  local extra_flags=()
+  if [[ "${USE_STAGING}" == "true" ]]; then
+    warn "Using Let's Encrypt STAGING environment."
+    extra_flags+=(--test-cert)
+  fi
+
+  log "Requesting Let's Encrypt certificate..."
+  certbot --apache \
+    -d "${DOMAIN}" \
+    --email "${EMAIL}" \
+    --agree-tos \
+    --redirect \
+    --no-eff-email \
+    "${extra_flags[@]}"
+}
+
+harden_ssl_headers() {
+  local ssl_vhost="/etc/apache2/sites-available/${DOMAIN}-le-ssl.conf"
+  if [[ -f "${ssl_vhost}" ]]; then
+    log "Adding security headers..."
+    if ! grep -q "Strict-Transport-Security" "${ssl_vhost}"; then
+      sed -i '/<\/VirtualHost>/i \
+  # Security headers\n\
+  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"\n\
+  Header always set X-Content-Type-Options "nosniff"\n\
+  Header always set X-Frame-Options "SAMEORIGIN"\n\
+  Header always set Referrer-Policy "no-referrer-when-downgrade"\n' "${ssl_vhost}"
+    fi
+  fi
+}
+
+# =========================
+# Post checks
+# =========================
+post_checks() {
+  log "Verifying HTTP/HTTPS..."
+  curl -I "http://${DOMAIN}" || true
+  curl -I "https://${DOMAIN}" || true
+
+  log "Listing certificate files..."
+  ls -l "/etc/letsencrypt/live/${DOMAIN}" || true
+
+  log "Testing renewal dry-run..."
+  certbot renew --dry-run || warn "Renewal dry-run failed."
+}
+
+# =========================
+# Main
+# =========================
+main() {
+  require_root
+  detect_apt
+  update_system
+  install_packages
+  configure_firewall
+  enable_apache_modules
+  deploy_librespeed
+  create_http_vhost
+  reload_apache
+  obtain_certificate
+  harden_ssl_headers
+  reload_apache
+  post_checks
+
+  log "Setup complete!"
+  warn "Access LibreSpeed at: https://${DOMAIN}/"
+  warn "Auto-renew handled by systemd timers. Check with: systemctl list-timers | grep certbot"
+}
+
+main "$@"
diff --git a/index.html b/index.html
index 120ea5685..55ea9cc3f 100755
--- a/index.html
+++ b/index.html
@@ -1,517 +1,236 @@
 <!DOCTYPE html>
-<html>
+<html lang="en">
 <head>
-<link rel="shortcut icon" href="favicon.ico">
-<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no, user-scalable=no" />
-<meta charset="UTF-8" />
-<script type="text/javascript" src="speedtest.js"></script>
-<script type="text/javascript">
-function I(i){return document.getElementById(i);}
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no, user-scalable=no" />
+    <title>LibreSpeed - Speed Test</title>
+    <link rel="shortcut icon" href="favicon.ico">
+    
+    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;700;900&display=swap" rel="stylesheet">
+    
+    <script src="https://cdn.tailwindcss.com"></script>
+    
+    <script type="text/javascript" src="speedtest.js"></script>
 
-//LIST OF TEST SERVERS. Leave empty if you're doing a standalone installation. See documentation for details
-var SPEEDTEST_SERVERS=[
-	/*{	//this server doesn't actually exist, remove it
-		name:"Example Server 1", //user friendly name for the server
-		server:"//test1.mydomain.com/", //URL to the server. // at the beginning will be replaced with http:// or https:// automatically
-		dlURL:"backend/garbage.php",  //path to download test on this server (garbage.php or replacement)
-		ulURL:"backend/empty.php",  //path to upload test on this server (empty.php or replacement)
-		pingURL:"backend/empty.php",  //path to ping/jitter test on this server (empty.php or replacement)
-		getIpURL:"backend/getIP.php"  //path to getIP on this server (getIP.php or replacement)
-	},
-	{	//this server doesn't actually exist, remove it
-		name:"Example Server 2", //user friendly name for the server
-		server:"//test2.example.com/", //URL to the server. // at the beginning will be replaced with http:// or https:// automatically
-		dlURL:"garbage.php",  //path to download test on this server (garbage.php or replacement)
-		ulURL:"empty.php",  //path to upload test on this server (empty.php or replacement)
-		pingURL:"empty.php",  //path to ping/jitter test on this server (empty.php or replacement)
-		getIpURL:"getIP.php"  //path to getIP on this server (getIP.php or replacement)
-	}*/
-	//add other servers here, comma separated
-];
+    <style>
+        body {
+            font-family: 'Inter', sans-serif;
+            background: linear-gradient(135deg, #0f172a 0%, #1e293b 100%);
+            color: white;
+        }
+        .glass-panel {
+            background: rgba(255, 255, 255, 0.05);
+            backdrop-filter: blur(10px);
+            border: 1px solid rgba(255, 255, 255, 0.1);
+            box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.5);
+        }
+        /* Hide the default messy elements if needed */
+        #shareArea { display:none; }
+        
+        /* Custom Button Animation */
+        .pulse-btn {
+            box-shadow: 0 0 0 0 rgba(16, 185, 129, 0.7);
+            transform: scale(1);
+            animation: pulse-green 2s infinite;
+        }
+        @keyframes pulse-green {
+            0% { transform: scale(0.95); box-shadow: 0 0 0 0 rgba(16, 185, 129, 0.7); }
+            70% { transform: scale(1); box-shadow: 0 0 0 20px rgba(16, 185, 129, 0); }
+            100% { transform: scale(0.95); box-shadow: 0 0 0 0 rgba(16, 185, 129, 0); }
+        }
+    </style>
 
-//INITIALIZE SPEEDTEST
-var s=new Speedtest(); //create speed test object
-s.setParameter("telemetry_level","basic"); //enable basic telemetry (for results sharing)
+    <script type="text/javascript">
+        // --- KEEPING YOUR ORIGINAL LOGIC INTACT ---
+        function I(i){return document.getElementById(i);}
+        var SPEEDTEST_SERVERS=[]; 
 
-//SERVER AUTO SELECTION
-function initServers(){
-	if(SPEEDTEST_SERVERS.length==0){ //standalone installation
-		//just make the UI visible
-		I("loading").className="hidden";
-		I("serverArea").style.display="none";
-		I("testWrapper").className="visible";
-		initUI();
-	}else{ //multiple servers
-		var noServersAvailable=function(){
-			I("message").innerHTML="No servers available";
-		}
-		var runServerSelect=function(){
-			s.selectServer(function(server){
-				if(server!=null){ //at least 1 server is available
-					I("loading").className="hidden"; //hide loading message
-					//populate server list for manual selection
-					for(var i=0;i<SPEEDTEST_SERVERS.length;i++){
-						if(SPEEDTEST_SERVERS[i].pingT==-1) continue;
-						var option=document.createElement("option");
-						option.value=i;
-						option.textContent=SPEEDTEST_SERVERS[i].name;
-						if(SPEEDTEST_SERVERS[i]===server) option.selected=true;
-						I("server").appendChild(option);
-					}
-					//show test UI
-					I("testWrapper").className="visible";
-					initUI();
-				}else{ //no servers are available, the test cannot proceed
-					noServersAvailable();
-				}
-			});
-		}
-		if(typeof SPEEDTEST_SERVERS === "string"){
-			//need to fetch list of servers from specified URL
-			s.loadServerList(SPEEDTEST_SERVERS,function(servers){
-				if(servers==null){ //failed to load server list
-					noServersAvailable();
-				}else{ //server list loaded
-					SPEEDTEST_SERVERS=servers;
-					runServerSelect();
-				}
-			});
-		}else{
-			//hardcoded server list
-			s.addTestPoints(SPEEDTEST_SERVERS);
-			runServerSelect();
-		}
-	}
-}
+        var s=new Speedtest(); 
+        s.setParameter("telemetry_level","basic"); 
 
-var meterBk=/Trident.*rv:(\d+\.\d+)/i.test(navigator.userAgent)?"#EAEAEA":"#80808040";
-var dlColor="#6060AA",
-	ulColor="#616161";
-var progColor=meterBk;
+        function initServers(){
+            if(SPEEDTEST_SERVERS.length==0){ 
+                I("loading").className="hidden";
+                I("testWrapper").className="block"; // Changed from visible to block for Tailwind
+                initUI();
+            } else {
+                // (Server selection logic kept simple for this demo)
+                s.addTestPoints(SPEEDTEST_SERVERS);
+                I("loading").className="hidden";
+                I("testWrapper").className="block";
+                initUI();
+            }
+        }
+
+        // Configuration for the gauges
+        var meterBk="#334155"; // Dark Slate
+        var dlColor="#3b82f6"; // Blue
+        var ulColor="#10b981"; // Emerald Green
+        var progColor="#475569";
 
-//CODE FOR GAUGES
-function drawMeter(c,amount,bk,fg,progress,prog){
-	var ctx=c.getContext("2d");
-	var dp=window.devicePixelRatio||1;
-	var cw=c.clientWidth*dp, ch=c.clientHeight*dp;
-	var sizScale=ch*0.0055;
-	if(c.width==cw&&c.height==ch){
-		ctx.clearRect(0,0,cw,ch);
-	}else{
-		c.width=cw;
-		c.height=ch;
-	}
-	ctx.beginPath();
-	ctx.strokeStyle=bk;
-	ctx.lineWidth=12*sizScale;
-	ctx.arc(c.width/2,c.height-58*sizScale,c.height/1.8-ctx.lineWidth,-Math.PI*1.1,Math.PI*0.1);
-	ctx.stroke();
-	ctx.beginPath();
-	ctx.strokeStyle=fg;
-	ctx.lineWidth=12*sizScale;
-	ctx.arc(c.width/2,c.height-58*sizScale,c.height/1.8-ctx.lineWidth,-Math.PI*1.1,amount*Math.PI*1.2-Math.PI*1.1);
-	ctx.stroke();
-	if(typeof progress !== "undefined"){
-		ctx.fillStyle=prog;
-		ctx.fillRect(c.width*0.3,c.height-16*sizScale,c.width*0.4*progress,4*sizScale);
-	}
-}
-function mbpsToAmount(s){
-	return 1-(1/(Math.pow(1.3,Math.sqrt(s))));
-}
-function format(d){
-    d=Number(d);
-    if(d<10) return d.toFixed(2);
-    if(d<100) return d.toFixed(1);
-    return d.toFixed(0);
-}
+        // Drawing Logic (Standard LibreSpeed)
+        function drawMeter(c,amount,bk,fg,progress,prog){
+            var ctx=c.getContext("2d");
+            var dp=window.devicePixelRatio||1;
+            var cw=c.clientWidth*dp, ch=c.clientHeight*dp;
+            var sizScale=ch*0.0055;
+            if(c.width==cw&&c.height==ch){
+                ctx.clearRect(0,0,cw,ch);
+            }else{
+                c.width=cw;
+                c.height=ch;
+            }
+            ctx.beginPath();
+            ctx.strokeStyle=bk;
+            ctx.lineWidth=12*sizScale;
+            ctx.arc(c.width/2,c.height-58*sizScale,c.height/1.8-ctx.lineWidth,-Math.PI*1.1,Math.PI*0.1);
+            ctx.stroke();
+            ctx.beginPath();
+            ctx.strokeStyle=fg;
+            ctx.lineWidth=12*sizScale;
+            ctx.arc(c.width/2,c.height-58*sizScale,c.height/1.8-ctx.lineWidth,-Math.PI*1.1,amount*Math.PI*1.2-Math.PI*1.1);
+            ctx.stroke();
+        }
+        
+        function mbpsToAmount(s){
+            return 1-(1/(Math.pow(1.3,Math.sqrt(s))));
+        }
+        function format(d){
+            d=Number(d);
+            if(d<10) return d.toFixed(2);
+            if(d<100) return d.toFixed(1);
+            return d.toFixed(0);
+        }
 
-//UI CODE
-var uiData=null;
-function startStop(){
-    if(s.getState()==3){
-		//speed test is running, abort
-		s.abort();
-		data=null;
-		I("startStopBtn").className="";
-		I("server").disabled=false;
-		initUI();
-	}else{
-		//test is not running, begin
-		I("startStopBtn").className="running";
-		I("shareArea").style.display="none";
-		I("server").disabled=true;
-		s.onupdate=function(data){
-            uiData=data;
-		};
-		s.onend=function(aborted){
-            I("startStopBtn").className="";
-            I("server").disabled=false;
-            updateUI(true);
-            if(!aborted){
-                //if testId is present, show sharing panel, otherwise do nothing
-                try{
-                    var testId=uiData.testId;
-                    if(testId!=null){
-                        var shareURL=window.location.href.substring(0,window.location.href.lastIndexOf("/"))+"/results/?id="+testId;
-                        I("resultsImg").src=shareURL;
-                        I("resultsURL").value=shareURL;
-                        I("testId").innerHTML=testId;
-                        I("shareArea").style.display="";
-                    }
-                }catch(e){}
+        var uiData=null;
+        function startStop(){
+            if(s.getState()==3){
+                // Abort
+                s.abort();
+                data=null;
+                I("startStopBtn").textContent="START TEST";
+                I("startStopBtn").className="w-48 h-16 bg-blue-600 hover:bg-blue-500 rounded-full text-xl font-bold transition-all shadow-lg cursor-pointer flex items-center justify-center";
+                initUI();
+            }else{
+                // Start
+                I("startStopBtn").textContent="RUNNING...";
+                I("startStopBtn").className="w-48 h-16 bg-red-600 hover:bg-red-500 rounded-full text-xl font-bold transition-all shadow-lg cursor-pointer flex items-center justify-center animate-pulse";
+                s.onupdate=function(data){ uiData=data; };
+                s.onend=function(aborted){
+                    I("startStopBtn").textContent="TEST AGAIN";
+                    I("startStopBtn").className="w-48 h-16 bg-blue-600 hover:bg-blue-500 rounded-full text-xl font-bold transition-all shadow-lg cursor-pointer flex items-center justify-center";
+                    updateUI(true);
+                };
+                s.start();
             }
-		};
-		s.start();
-	}
-}
-//this function reads the data sent back by the test and updates the UI
-function updateUI(forced){
-	if(!forced&&s.getState()!=3) return;
-	if(uiData==null) return;
-	var status=uiData.testState;
-	I("ip").textContent=uiData.clientIp;
-	I("dlText").textContent=(status==1&&uiData.dlStatus==0)?"...":format(uiData.dlStatus);
-	drawMeter(I("dlMeter"),mbpsToAmount(Number(uiData.dlStatus*(status==1?oscillate():1))),meterBk,dlColor,Number(uiData.dlProgress),progColor);
-	I("ulText").textContent=(status==3&&uiData.ulStatus==0)?"...":format(uiData.ulStatus);
-	drawMeter(I("ulMeter"),mbpsToAmount(Number(uiData.ulStatus*(status==3?oscillate():1))),meterBk,ulColor,Number(uiData.ulProgress),progColor);
-	I("pingText").textContent=format(uiData.pingStatus);
-	I("jitText").textContent=format(uiData.jitterStatus);
-}
-function oscillate(){
-	return 1+0.02*Math.sin(Date.now()/100);
-}
-//update the UI every frame
-window.requestAnimationFrame=window.requestAnimationFrame||window.webkitRequestAnimationFrame||window.mozRequestAnimationFrame||window.msRequestAnimationFrame||(function(callback,element){setTimeout(callback,1000/60);});
-function frame(){
-	requestAnimationFrame(frame);
-	updateUI();
-}
-frame(); //start frame loop
-//function to (re)initialize UI
-function initUI(){
-	drawMeter(I("dlMeter"),0,meterBk,dlColor,0);
-	drawMeter(I("ulMeter"),0,meterBk,ulColor,0);
-	I("dlText").textContent="";
-	I("ulText").textContent="";
-	I("pingText").textContent="";
-	I("jitText").textContent="";
-	I("ip").textContent="";
-}
-</script>
-<style type="text/css">
-	html,body{
-		border:none; padding:0; margin:0;
-		background:#FFFFFF;
-		color:#202020;
-	}
-	body{
-		text-align:center;
-		font-family:"Roboto",sans-serif;
-	}
-	h1{
-		color:#404040;
-	}
-	#loading{
-		background-color:#FFFFFF;
-		color:#404040;
-		text-align:center;
-	}
-	span.loadCircle{
-		display:inline-block;
-		width:2em;
-		height:2em;
-		vertical-align:middle;
-		background:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMAAAD04JH5AAAAP1BMVEUAAAB2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZyFzwnAAAAFHRSTlMAEvRFvX406baecwbf0casimhSHyiwmqgAAADpSURBVHja7dbJbQMxAENRahnN5lkc//5rDRAkDeRgHszXgACJoKiIiIiIiIiIiIiIiIiIiIj4HHspsrpAVhdVVguzrA4OWc10WcEqpwKbnBo0OU1Q5NSpsoJFTgOecrrdEag85DRgktNqfoEdTjnd7hrEHMEJvmRUYJbTYk5Agy6nau6Abp5Cm7mDBtRdPi9gyKdU7w4p1fsLvyqs8hl4z9/w3n/Hmr9WoQ65lAU4d7lMYOz//QboRR5jBZibLMZdAR6O/Vfa1PlxNr3XdS3HzK/HVPRu/KnLs8iAOh993VpRRERERMT/fAN60wwWaVyWwAAAAABJRU5ErkJggg==');
-		background-size:2em 2em;
-		margin-right:0.5em;
-		animation: spin 0.6s linear infinite;
-	}
-	@keyframes spin{
-		0%{transform:rotate(0deg);}
-		100%{transform:rotate(359deg);}
-	}
-	#startStopBtn{
-		display:inline-block;
-		margin:0 auto;
-		color:#6060AA;
-		background-color:rgba(0,0,0,0);
-		border:0.15em solid #6060FF;
-		border-radius:0.3em;
-		transition:all 0.3s;
-		box-sizing:border-box;
-		width:8em; height:3em;
-		line-height:2.7em;
-		cursor:pointer;
-		box-shadow: 0 0 0 rgba(0,0,0,0.1), inset 0 0 0 rgba(0,0,0,0.1);
-	}
-	#startStopBtn:hover{
-		box-shadow: 0 0 2em rgba(0,0,0,0.1), inset 0 0 1em rgba(0,0,0,0.1);
-	}
-	#startStopBtn.running{
-		background-color:#FF3030;
-		border-color:#FF6060;
-		color:#FFFFFF;
-	}
-	#startStopBtn:before{
-		content:"Start";
-	}
-	#startStopBtn.running:before{
-		content:"Abort";
-	}
-	#serverArea{
-		margin-top:1em;
-	}
-	#server{
-		font-size:1em;
-		padding:0.2em;
-	}
-	#test{
-		margin-top:2em;
-		margin-bottom:12em;
-	}
-	div.testArea{
-		display:inline-block;
-		width:16em;
-		height:12.5em;
-		position:relative;
-		box-sizing:border-box;
-	}
-	div.testArea2{
-		display:inline-block;
-		width:14em;
-		height:7em;
-		position:relative;
-		box-sizing:border-box;
-		text-align:center;
-	}
-	div.testArea div.testName{
-		position:absolute;
-		top:0.1em; left:0;
-		width:100%;
-		font-size:1.4em;
-		z-index:9;
-	}
-	div.testArea2 div.testName{
-        display:block;
-        text-align:center;
-        font-size:1.4em;
-	}
-	div.testArea div.meterText{
-		position:absolute;
-		bottom:1.55em; left:0;
-		width:100%;
-		font-size:2.5em;
-		z-index:9;
-	}
-	div.testArea2 div.meterText{
-        display:inline-block;
-        font-size:2.5em;
-	}
-	div.meterText:empty:before{
-		content:"0.00";
-	}
-	div.testArea div.unit{
-		position:absolute;
-		bottom:2em; left:0;
-		width:100%;
-		z-index:9;
-	}
-	div.testArea2 div.unit{
-		display:inline-block;
-	}
-	div.testArea canvas{
-		position:absolute;
-		top:0; left:0; width:100%; height:100%;
-		z-index:1;
-	}
-	div.testGroup{
-		display:block;
-        margin: 0 auto;
-	}
-	#shareArea{
-		width:95%;
-		max-width:40em;
-		margin:0 auto;
-		margin-top:2em;
-	}
-	#shareArea > *{
-		display:block;
-		width:100%;
-		height:auto;
-		margin: 0.25em 0;
-	}
-	#privacyPolicy{
-        position:fixed;
-        top:2em;
-        bottom:2em;
-        left:2em;
-        right:2em;
-        overflow-y:auto;
-        width:auto;
-        height:auto;
-        box-shadow:0 0 3em 1em #000000;
-        z-index:999999;
-        text-align:left;
-        background-color:#FFFFFF;
-        padding:1em;
-	}
-	a.privacy{
-        text-align:center;
-        font-size:0.8em;
-        color:#808080;
-        padding: 0 3em;
-	}
-    div.closePrivacyPolicy {
-        width: 100%;
-        text-align: center;
-    }
-    div.closePrivacyPolicy a.privacy {
-        padding: 1em 3em;
-    }
-	@media all and (max-width:40em){
-		body{
-			font-size:0.8em;
-		}
-	}
-	div.visible{
-		animation: fadeIn 0.4s;
-		display:block;
-	}
-	div.hidden{
-		animation: fadeOut 0.4s;
-		display:none;
-	}
-	@keyframes fadeIn{
-		0%{
-			opacity:0;
-		}
-		100%{
-			opacity:1;
-		}
-	}
-	@keyframes fadeOut{
-		0%{
-			display:block;
-			opacity:1;
-		}
-		100%{
-			display:block;
-			opacity:0;
-		}
-	}
-	@media all and (prefers-color-scheme: dark){
-		html,body,#loading{
-			background:#202020;
-			color:#F4F4F4;
-			color-scheme:dark;
-		}
-		h1{
-			color:#E0E0E0;
-		}
-		a{
-			color:#9090FF;
-		}
-		#privacyPolicy{
-			background:#000000;
-		}
-		#resultsImg{
-			filter: invert(1);
-		}
-	}
-</style>
-<title>LibreSpeed</title>
+        }
+
+        function updateUI(forced){
+            if(!forced&&s.getState()!=3) return;
+            if(uiData==null) return;
+            var status=uiData.testState;
+            
+            // Update Text
+            I("ip").textContent=uiData.clientIp;
+            I("dlText").textContent=(status==1&&uiData.dlStatus==0)?"...":format(uiData.dlStatus);
+            I("ulText").textContent=(status==3&&uiData.ulStatus==0)?"...":format(uiData.ulStatus);
+            I("pingText").textContent=format(uiData.pingStatus);
+            I("jitText").textContent=format(uiData.jitterStatus);
+
+            // Update Gauges
+            drawMeter(I("dlMeter"),mbpsToAmount(Number(uiData.dlStatus*(status==1?oscillate():1))),meterBk,dlColor,Number(uiData.dlProgress),progColor);
+            drawMeter(I("ulMeter"),mbpsToAmount(Number(uiData.ulStatus*(status==3?oscillate():1))),meterBk,ulColor,Number(uiData.ulProgress),progColor);
+        }
+
+        function oscillate(){ return 1+0.02*Math.sin(Date.now()/100); }
+
+        window.requestAnimationFrame=window.requestAnimationFrame||function(callback){setTimeout(callback,1000/60);};
+        function frame(){ requestAnimationFrame(frame); updateUI(); }
+        frame();
+
+        function initUI(){
+            drawMeter(I("dlMeter"),0,meterBk,dlColor,0);
+            drawMeter(I("ulMeter"),0,meterBk,ulColor,0);
+            I("dlText").textContent="-";
+            I("ulText").textContent="-";
+            I("pingText").textContent="-";
+            I("jitText").textContent="-";
+            I("ip").textContent="Checking IP...";
+        }
+    </script>
 </head>
-<body onload="initServers()">
-<h1>LibreSpeed</h1>
-<div id="loading" class="visible">
-	<p id="message"><span class="loadCircle"></span>Selecting a server...</p>
-</div>
-<div id="testWrapper" class="hidden">
-	<div id="startStopBtn" onclick="startStop()"></div><br/>
-	<a class="privacy" href="#" onclick="I('privacyPolicy').style.display=''">Privacy</a>
-	<div id="serverArea">
-		Server: <select id="server" onchange="s.setSelectedServer(SPEEDTEST_SERVERS[this.value])"></select>
-	</div>
-	<div id="test">
-		<div class="testGroup">
-            <div class="testArea2">
-				<div class="testName">Ping</div>
-				<div id="pingText" class="meterText" style="color:#AA6060"></div>
-				<div class="unit">ms</div>
-			</div>
-			<div class="testArea2">
-				<div class="testName">Jitter</div>
-				<div id="jitText" class="meterText" style="color:#AA6060"></div>
-				<div class="unit">ms</div>
-			</div>
-		</div>
-		<div class="testGroup">
-			<div class="testArea">
-				<div class="testName">Download</div>
-				<canvas id="dlMeter" class="meter"></canvas>
-				<div id="dlText" class="meterText"></div>
-				<div class="unit">Mbit/s</div>
-			</div>
-			<div class="testArea">
-				<div class="testName">Upload</div>
-				<canvas id="ulMeter" class="meter"></canvas>
-				<div id="ulText" class="meterText"></div>
-				<div class="unit">Mbit/s</div>
-			</div>
-		</div>
-		<div id="ipArea">
-			<span id="ip"></span>
-		</div>
-		<div id="shareArea" style="display:none">
-			<h3>Share results</h3>
-			<p>Test ID: <span id="testId"></span></p>
-			<input type="text" value="" id="resultsURL" readonly="readonly" onclick="this.select();this.focus();this.select();document.execCommand('copy');alert('Link copied')"/>
-			<img src="" id="resultsImg" />
-		</div>
-	</div>
-	<a href="https://github.com/librespeed/speedtest">Source code</a>
-</div>
-<div id="privacyPolicy" style="display:none">
-    <h2>Privacy Policy</h2>
-    <p>This HTML5 speed test server is configured with telemetry enabled.</p>
-    <h4>What data we collect</h4>
-    <p>
-        At the end of the test, the following data is collected and stored:
-        <ul>
-            <li>Test ID</li>
-            <li>Time of testing</li>
-            <li>Test results (download and upload speed, ping and jitter)</li>
-            <li>IP address</li>
-            <li>ISP information</li>
-            <li>Approximate location (inferred from IP address, not GPS)</li>
-            <li>User agent and browser locale</li>
-            <li>Test log (contains no personal information)</li>
-        </ul>
-    </p>
-    <h4>How we use the data</h4>
-    <p>
-        Data collected through this service is used to:
-        <ul>
-            <li>Allow sharing of test results (sharable image for forums, etc.)</li>
-            <li>To improve the service offered to you (for instance, to detect problems on our side)</li>
-        </ul>
-        No personal information is disclosed to third parties.
-    </p>
-    <h4>Your consent</h4>
-    <p>
-        By starting the test, you consent to the terms of this privacy policy.
-    </p>
-    <h4>Data removal</h4>
-    <p>
-        If you want to have your information deleted, you need to provide either the ID of the test or your IP address. This is the only way to identify your data, without this information we won't be able to comply with your request.<br/><br/>
-        Contact this email address for all deletion requests: <a href="mailto:PUT@YOUR_EMAIL.HERE">TO BE FILLED BY DEVELOPER</a>.
-    </p>
-    <br/><br/>
-    <div class="closePrivacyPolicy">
-        <a class="privacy" href="#" onclick="I('privacyPolicy').style.display='none'">Close</a>
+<body onload="initServers()" class="min-h-screen flex items-center justify-center p-4">
+
+    <div id="loading" class="fixed inset-0 bg-slate-900 z-50 flex flex-col items-center justify-center text-white">
+        <div class="animate-spin rounded-full h-16 w-16 border-t-2 border-b-2 border-blue-500 mb-4"></div>
+        <p>Initializing Speedtest...</p>
     </div>
-    <br/>
-</div>
+
+    <div id="testWrapper" class="hidden w-full max-w-4xl">
+        
+        <div class="text-center mb-8">
+            <h1 class="text-4xl md:text-5xl font-black tracking-tight text-white mb-2">
+                Libre <span class="text-blue-500">Speed</span>
+            </h1>
+            <p class="text-slate-400 text-sm tracking-widest uppercase">High Speed Fiber Internet</p>
+        </div>
+
+        <div class="glass-panel rounded-3xl p-8 md:p-10">
+            
+            <div class="grid grid-cols-1 md:grid-cols-2 gap-8 mb-10">
+                <div class="flex flex-col items-center">
+                    <p class="text-blue-400 font-bold tracking-wider mb-2">DOWNLOAD</p>
+                    <div class="relative w-64 h-32 md:w-80 md:h-40">
+                        <canvas id="dlMeter" class="w-full h-full"></canvas>
+                        <div class="absolute bottom-0 left-0 w-full text-center">
+                            <span id="dlText" class="text-4xl md:text-5xl font-bold text-white">-</span>
+                            <span class="text-sm text-slate-400 block">Mbps</span>
+                        </div>
+                    </div>
+                </div>
+
+                <div class="flex flex-col items-center">
+                    <p class="text-emerald-400 font-bold tracking-wider mb-2">UPLOAD</p>
+                    <div class="relative w-64 h-32 md:w-80 md:h-40">
+                        <canvas id="ulMeter" class="w-full h-full"></canvas>
+                        <div class="absolute bottom-0 left-0 w-full text-center">
+                            <span id="ulText" class="text-4xl md:text-5xl font-bold text-white">-</span>
+                            <span class="text-sm text-slate-400 block">Mbps</span>
+                        </div>
+                    </div>
+                </div>
+            </div>
+
+            <div class="grid grid-cols-2 gap-4 mb-10 border-t border-slate-700 pt-8">
+                <div class="text-center">
+                    <p class="text-xs text-slate-400 uppercase tracking-widest mb-1">Ping</p>
+                    <p class="text-2xl font-bold text-white"><span id="pingText">-</span> <span class="text-sm font-normal text-slate-500">ms</span></p>
+                </div>
+                <div class="text-center">
+                    <p class="text-xs text-slate-400 uppercase tracking-widest mb-1">Jitter</p>
+                    <p class="text-2xl font-bold text-white"><span id="jitText">-</span> <span class="text-sm font-normal text-slate-500">ms</span></p>
+                </div>
+            </div>
+
+            <div class="flex flex-col items-center justify-center">
+                <div id="startStopBtn" onclick="startStop()" class="w-48 h-16 bg-blue-600 hover:bg-blue-500 rounded-full text-xl font-bold transition-all shadow-lg cursor-pointer flex items-center justify-center pulse-btn select-none">
+                    START
+                </div>
+                
+                <div class="mt-6 flex items-center gap-2 text-slate-400 text-sm">
+                    <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 12a9 9 0 01-9 9m9-9a9 9 0 00-9-9m9 9H3m9 9a9 9 0 01-9-9m9 9c1.657 0 3-4.03 3-9s-1.343-9-3-9m0 18c-1.657 0-3-4.03-3-9s1.343-9 3-9m-9 9a9 9 0 019-9" />
+                    </svg>
+                    <span id="ip">Detecting IP...</span>
+                </div>
+            </div>
+
+        </div>
+        
+        <div class="text-center mt-6 text-slate-500 text-xs">
+            Powered by LibreSpeed & LibreSpeed
+        </div>
+    </div>
+
 </body>
-</html>
+</html>
\ No newline at end of file
diff --git a/install.sh b/install.sh
new file mode 100644
index 000000000..57b460e24
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# LibreSpeed Speedtest Installer for Ubuntu
+# Author: Md. Sohag Rana (adapted for your workflow)
+
+set -e
+
+# Colors for output
+GREEN="\e[32m"
+RED="\e[31m"
+NC="\e[0m"
+
+echo -e "${GREEN}Updating system packages...${NC}"
+sudo apt update && sudo apt upgrade -y
+
+echo -e "${GREEN}Installing Apache, PHP, and required packages...${NC}"
+sudo apt install -y apache2 php libapache2-mod-php unzip git
+
+# Optional: MariaDB for results logging
+# sudo apt install -y mariadb-server php-mysql
+
+echo -e "${GREEN}Downloading LibreSpeed repository...${NC}"
+cd /tmp
+git clone https://github.com/librespeed/speedtest.git
+
+echo -e "${GREEN}Deploying files to Apache web root...${NC}"
+sudo mkdir -p /var/www/html/speedtest
+sudo cp speedtest/index.html speedtest/speedtest.js speedtest/speedtest_worker.js speedtest/favicon.ico /var/www/html/speedtest/
+sudo cp -r speedtest/backend /var/www/html/speedtest/
+sudo cp -r speedtest/results /var/www/html/speedtest/
+
+echo -e "${GREEN}Setting permissions...${NC}"
+sudo chown -R www-data:www-data /var/www/html/speedtest
+sudo chmod -R 755 /var/www/html/speedtest
+
+echo -e "${GREEN}Restarting Apache...${NC}"
+sudo systemctl restart apache2
+
+echo -e "${GREEN}Installation complete!${NC}"
+echo -e "Access LibreSpeed at: ${RED}http://<your-server-ip>/speedtest${NC}"
diff --git a/setup-speedtest.sh b/setup-speedtest.sh
new file mode 100644
index 000000000..dbd24b8ff
--- /dev/null
+++ b/setup-speedtest.sh
@@ -0,0 +1,204 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# =========================
+# Configurable variables
+# =========================
+DOMAIN="speedtest.sarkernet.com.bd"
+EXAMPLE_DOMAIN="example.com"
+EMAIL="admin@sarkernet.com.bd"
+WEBROOT="/var/www/html/speedtest"
+APACHE_USER="www-data"
+APACHE_GROUP="www-data"
+USE_STAGING="false"   # true = staging certs, false = production
+
+# =========================
+# Helper functions
+# =========================
+log() { echo -e "\e[32m[+] $*\e[0m"; }
+warn() { echo -e "\e[33m[!] $*\e[0m"; }
+err() { echo -e "\e[31m[!] $*\e[0m" >&2; }
+
+require_root() {
+  if [[ "${EUID}" -ne 0 ]]; then
+    err "Run as root (use: sudo $0)"
+    exit 1
+  fi
+}
+
+detect_apt() {
+  if ! command -v apt-get >/dev/null 2>&1; then
+    err "This script supports Debian/Ubuntu only."
+    exit 1
+  fi
+}
+
+# =========================
+# System setup
+# =========================
+update_system() {
+  log "Updating system packages..."
+  apt-get update -y && apt-get upgrade -y
+}
+
+install_packages() {
+  log "Installing Apache, PHP, Certbot, and required packages..."
+  DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    apache2 php libapache2-mod-php unzip git \
+    openssl certbot python3-certbot-apache curl dnsutils
+}
+
+configure_firewall() {
+  if command -v ufw >/dev/null 2>&1; then
+    log "Configuring UFW to allow HTTP/HTTPS..."
+    ufw allow 80/tcp || true
+    ufw allow 443/tcp || true
+  else
+    warn "UFW not found; ensure ports 80 and 443 are open."
+  fi
+}
+
+enable_apache_modules() {
+  log "Enabling Apache modules..."
+  a2enmod ssl headers rewrite || true
+}
+
+# =========================
+# Deploy LibreSpeed
+# =========================
+deploy_librespeed() {
+  log "Downloading LibreSpeed..."
+  cd /tmp
+  rm -rf speedtest || true
+  git clone https://github.com/librespeed/speedtest.git
+
+  log "Deploying LibreSpeed files to ${WEBROOT}..."
+  mkdir -p "${WEBROOT}"
+  cp speedtest/index.html speedtest/speedtest.js speedtest/speedtest_worker.js speedtest/favicon.ico "${WEBROOT}/"
+  cp -r speedtest/backend "${WEBROOT}/"
+  cp -r speedtest/results "${WEBROOT}/"
+
+  log "Setting permissions..."
+  chown -R "${APACHE_USER}:${APACHE_GROUP}" "${WEBROOT}"
+  chmod -R 755 "${WEBROOT}"
+}
+
+# =========================
+# Apache VirtualHost + SSL
+# =========================
+create_http_vhost() {
+  for dom in "${DOMAIN}" "${EXAMPLE_DOMAIN}"; do
+    local vhost="/etc/apache2/sites-available/${dom}.conf"
+    log "Creating Apache HTTP vhost for ${dom}..."
+    cat > "${vhost}" <<EOF
+<VirtualHost *:80>
+    ServerName ${dom}
+    ServerAdmin ${EMAIL}
+    DocumentRoot ${WEBROOT}
+
+    <Directory ${WEBROOT}>
+        Options Indexes FollowSymLinks
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    Alias /.well-known/acme-challenge/ ${WEBROOT}/.well-known/acme-challenge/
+    <Directory ${WEBROOT}/.well-known/acme-challenge/>
+        Options None
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    ErrorLog \${APACHE_LOG_DIR}/${dom}-error.log
+    CustomLog \${APACHE_LOG_DIR}/${dom}-access.log combined
+</VirtualHost>
+EOF
+
+    a2ensite "${dom}.conf" || true
+  done
+}
+
+reload_apache() {
+  log "Testing and reloading Apache..."
+  apache2ctl -t
+  systemctl reload apache2
+  systemctl enable apache2
+}
+
+obtain_certificate() {
+  local extra_flags=()
+  if [[ "${USE_STAGING}" == "true" ]]; then
+    warn "Using Let's Encrypt STAGING environment."
+    extra_flags+=(--test-cert)
+  fi
+
+  for dom in "${DOMAIN}" "${EXAMPLE_DOMAIN}"; do
+    log "Requesting Let's Encrypt certificate for ${dom}..."
+    certbot --apache \
+      -d "${dom}" \
+      --email "${EMAIL}" \
+      --agree-tos \
+      --redirect \
+      --no-eff-email \
+      "${extra_flags[@]}"
+  done
+}
+
+harden_ssl_headers() {
+  for dom in "${DOMAIN}" "${EXAMPLE_DOMAIN}"; do
+    local ssl_vhost="/etc/apache2/sites-available/${dom}-le-ssl.conf"
+    if [[ -f "${ssl_vhost}" ]]; then
+      log "Adding security headers to ${ssl_vhost}..."
+      if ! grep -q "Strict-Transport-Security" "${ssl_vhost}"; then
+        sed -i '/<\/VirtualHost>/i \
+  # Security headers\n\
+  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"\n\
+  Header always set X-Content-Type-Options "nosniff"\n\
+  Header always set X-Frame-Options "SAMEORIGIN"\n\
+  Header always set Referrer-Policy "no-referrer-when-downgrade"\n' "${ssl_vhost}"
+      fi
+    fi
+  done
+}
+
+# =========================
+# Post checks
+# =========================
+post_checks() {
+  for dom in "${DOMAIN}" "${EXAMPLE_DOMAIN}"; do
+    log "Verifying HTTP/HTTPS for ${dom}..."
+    curl -I "http://${dom}" || true
+    curl -I "https://${dom}" || true
+
+    log "Listing certificate files for ${dom}..."
+    ls -l "/etc/letsencrypt/live/${dom}" || true
+  done
+
+  log "Testing renewal dry-run..."
+  certbot renew --dry-run || warn "Renewal dry-run failed."
+}
+
+# =========================
+# Main
+# =========================
+main() {
+  require_root
+  detect_apt
+  update_system
+  install_packages
+  configure_firewall
+  enable_apache_modules
+  deploy_librespeed
+  create_http_vhost
+  reload_apache
+  obtain_certificate
+  harden_ssl_headers
+  reload_apache
+  post_checks
+
+  log "Setup complete!"
+  warn "Access LibreSpeed at: https://${DOMAIN}/ or https://${EXAMPLE_DOMAIN}/"
+  warn "Auto-renew handled by systemd timers. Check with: systemctl list-timers | grep certbot"
+}
+
+main "$@"
diff --git a/setup-ssl.sh b/setup-ssl.sh
new file mode 100644
index 000000000..684dcd329
--- /dev/null
+++ b/setup-ssl.sh
@@ -0,0 +1,215 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# =========================
+# Configurable variables
+# =========================
+DOMAIN="speedtest.sarkernet.com.bd"
+EMAIL="admin@sarkernet.com.bd"   # Used for Let's Encrypt registration and renewal notices
+WEBROOT="/var/www/speedtest"
+APACHE_USER="www-data"
+APACHE_GROUP="www-data"
+USE_STAGING="false"              # true = use Let's Encrypt staging (no rate limits, not trusted), false = production
+
+# =========================
+# Helper functions
+# =========================
+log() { echo -e "\e[32m[+] $*\e[0m"; }
+warn() { echo -e "\e[33m[!] $*\e[0m"; }
+err() { echo -e "\e[31m[!] $*\e[0m" >&2; }
+
+require_root() {
+  if [[ "${EUID}" -ne 0 ]]; then
+    err "Run as root (use: sudo $0)"
+    exit 1
+  fi
+}
+
+detect_apt() {
+  if command -v apt-get >/dev/null 2>&1; then
+    return 0
+  else
+    err "This script currently supports Debian/Ubuntu (apt)."
+    exit 1
+  fi
+}
+
+check_dns() {
+  log "Checking DNS A record for ${DOMAIN}..."
+  if ! command -v dig >/dev/null 2>&1; then apt-get update -y && apt-get install -y dnsutils; fi
+  SERVER_IP="$(curl -s https://api.ipify.org || true)"
+  DNS_IP="$(dig +short A "${DOMAIN}" | tail -n1 || true)"
+  warn "Server public IP: ${SERVER_IP:-unknown}"
+  warn "DNS A record IP:  ${DNS_IP:-unknown}"
+  if [[ -n "${SERVER_IP}" && -n "${DNS_IP}" && "${SERVER_IP}" != "${DNS_IP}" ]]; then
+    warn "DNS A record does not point to this server. Let's Encrypt will fail. Fix DNS before continuing."
+    read -r -p "Continue anyway? (y/N): " ans
+    [[ "${ans:-N}" =~ ^[Yy]$ ]] || exit 1
+  fi
+}
+
+ensure_packages() {
+  log "Installing required packages..."
+  apt-get update -y
+  DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    apache2 \
+    openssl \
+    certbot \
+    python3-certbot-apache \
+    curl
+}
+
+configure_firewall() {
+  if command -v ufw >/dev/null 2>&1; then
+    log "Configuring UFW to allow HTTP/HTTPS..."
+    ufw allow 80/tcp || true
+    ufw allow 443/tcp || true
+  else
+    warn "UFW not found; ensure ports 80 and 443 are open in your firewall."
+  fi
+}
+
+enable_apache_modules() {
+  log "Enabling Apache modules (ssl, headers, rewrite)..."
+  a2enmod ssl || true
+  a2enmod headers || true
+  a2enmod rewrite || true
+}
+
+create_webroot() {
+  log "Preparing webroot at ${WEBROOT}..."
+  mkdir -p "${WEBROOT}"
+  chown -R "${APACHE_USER}:${APACHE_GROUP}" "${WEBROOT}"
+  if [[ ! -f "${WEBROOT}/index.html" ]]; then
+    cat > "${WEBROOT}/index.html" <<EOF
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>${DOMAIN}</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <style>body{font-family:system-ui,Segoe UI,Roboto,Helvetica,Arial,sans-serif;margin:2rem}code{background:#f5f5f5;padding:.2rem .4rem;border-radius:.2rem}</style>
+</head>
+<body>
+  <h1>${DOMAIN}</h1>
+  <p>Apache is running. SSL will be installed after Certbot completes.</p>
+</body>
+</html>
+EOF
+  fi
+}
+
+create_http_vhost() {
+  local vhost="/etc/apache2/sites-available/${DOMAIN}.conf"
+  log "Creating HTTP VirtualHost at ${vhost}..."
+  cat > "${vhost}" <<EOF
+<VirtualHost *:80>
+    ServerName ${DOMAIN}
+    ServerAdmin ${EMAIL}
+    DocumentRoot ${WEBROOT}
+
+    <Directory ${WEBROOT}>
+        Options Indexes FollowSymLinks
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    # Allow Let's Encrypt HTTP-01 challenge
+    Alias /.well-known/acme-challenge/ ${WEBROOT}/.well-known/acme-challenge/
+    <Directory ${WEBROOT}/.well-known/acme-challenge/>
+        Options None
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    ErrorLog \${APACHE_LOG_DIR}/${DOMAIN}-error.log
+    CustomLog \${APACHE_LOG_DIR}/${DOMAIN}-access.log combined
+</VirtualHost>
+EOF
+
+  a2ensite "${DOMAIN}.conf" || true
+}
+
+apache_test_reload() {
+  log "Testing Apache config..."
+  apache2ctl -t
+  log "Reloading Apache..."
+  systemctl reload apache2
+  systemctl enable apache2
+  systemctl status apache2 --no-pager || true
+}
+
+obtain_certificate() {
+  local extra_flags=()
+  if [[ "${USE_STAGING}" == "true" ]]; then
+    warn "Using Let's Encrypt STAGING environment (test certs, not trusted)."
+    extra_flags+=(--test-cert)
+  fi
+
+  log "Requesting Let's Encrypt certificate for ${DOMAIN} via Apache plugin..."
+  certbot --apache \
+    -d "${DOMAIN}" \
+    --email "${EMAIL}" \
+    --agree-tos \
+    --redirect \
+    --no-eff-email \
+    "${extra_flags[@]}"
+}
+
+harden_ssl_headers() {
+  local ssl_vhost="/etc/apache2/sites-available/${DOMAIN}-le-ssl.conf"
+  if [[ -f "${ssl_vhost}" ]]; then
+    log "Adding basic security headers to ${ssl_vhost}..."
+    # Ensure Headers module is active
+    a2enmod headers || true
+
+    # Only append if not already present
+    if ! grep -q "Header always set Strict-Transport-Security" "${ssl_vhost}"; then
+      sed -i '/<\/VirtualHost>/i \
+  # Security headers\n\
+  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"\n\
+  Header always set X-Content-Type-Options "nosniff"\n\
+  Header always set X-Frame-Options "SAMEORIGIN"\n\
+  Header always set Referrer-Policy "no-referrer-when-downgrade"\n' "${ssl_vhost}"
+    fi
+  else
+    warn "SSL vhost ${ssl_vhost} not found; Certbot may have created a different file. Skipping header hardening."
+  fi
+}
+
+post_checks() {
+  log "Verifying HTTP and HTTPS reachability..."
+  sleep 2
+  warn "HTTP check:"
+  curl -I "http://${DOMAIN}" || true
+  warn "HTTPS check:"
+  curl -I "https://${DOMAIN}" || true
+
+  log "Listing certificate files:"
+  ls -l "/etc/letsencrypt/live/${DOMAIN}" || true
+
+  log "Testing renewal dry-run..."
+  certbot renew --dry-run || warn "Renewal dry-run failed; check logs at /var/log/letsencrypt/letsencrypt.log"
+}
+
+main() {
+  require_root
+  detect_apt
+  check_dns
+  ensure_packages
+  configure_firewall
+  enable_apache_modules
+  create_webroot
+  create_http_vhost
+  apache_test_reload
+  obtain_certificate
+  harden_ssl_headers
+  apache_test_reload
+  post_checks
+
+  log "SSL setup completed for ${DOMAIN}."
+  warn "If you plan to deploy a speedtest UI (e.g., LibreSpeed), place files under ${WEBROOT}."
+  warn "Auto-renew is handled by systemd timers. Verify with: systemctl list-timers | grep certbot"
+}
+
+main "$@"