apache-config-devel/sites-available/002-default-ssl.conf

<VirtualHost _default_:443>

	DocumentRoot "/srv/www/apache"
	#ServerName www.example.com:443
	ServerAdmin webmaster@localhost
	ErrorLog ${APACHE_LOG_DIR}/002-default-ssl.error.log
	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.access.log combined

	SSLEngine on
	SSLCertificateFile "/etc/apache/server.crt"
	SSLCertificateKeyFile "/etc/apache/server.key"
	#SSLCertificateChainFile "/etc/apache/server-ca.crt"

	#SSLProtocol		All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	SSLProtocol		All -SSLv2 -SSLv3
	SSLCipherSuite		EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLHonorCipherOrder	On

	SSLCompression		off 
	SSLUseStapling		on 
	
	SSLStaplingCache	"shmcb:logs/stapling-cache(150000)" 
	# Requires Apache >= 2.4.11
	SSLSessionTickets	Off
            
	#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
	#Header always set X-Frame-Options DENY
	#Header always set X-Content-Type-Options nosniff

	<FilesMatch "\.(cgi|shtml|phtml|php)$">
	    SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory "/srv/www/apache/cgi-bin">
	    SSLOptions +StdEnvVars
	</Directory>

	BrowserMatch "MSIE [2-5]" \
		 nokeepalive ssl-unclean-shutdown \
		 downgrade-1.0 force-response-1.0

	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_request.log ssl_info
	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_browser.log ssl_info_browser

</VirtualHost>                                  

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Now with a little bit of SSL and Let's Encrypt - apache.conf Include listen.conf AFTER loading modules (ssl) - mod_ssl needs socache_shmcb uses mime and setenvif (in vhost) - mod_alias (for LE/dehydrated) - sites-available/00[12]-default-ssl.conf (untested!) 2016-10-06 20:19:33 +00:00			`<VirtualHost _default_:443>`

			`DocumentRoot "/srv/www/apache"`
			`#ServerName www.example.com:443`
			`ServerAdmin webmaster@localhost`
			`ErrorLog ${APACHE_LOG_DIR}/002-default-ssl.error.log`
			`CustomLog ${APACHE_LOG_DIR}/002-default-ssl.access.log combined`

			`SSLEngine on`
			`SSLCertificateFile "/etc/apache/server.crt"`
			`SSLCertificateKeyFile "/etc/apache/server.key"`
			`#SSLCertificateChainFile "/etc/apache/server-ca.crt"`

			`#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`
			`SSLProtocol All -SSLv2 -SSLv3`
			`SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH`
			`SSLHonorCipherOrder On`

			`SSLCompression off`
			`SSLUseStapling on`

			`SSLStaplingCache "shmcb:logs/stapling-cache(150000)"`
			`# Requires Apache >= 2.4.11`
			`SSLSessionTickets Off`

			`#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"`
			`#Header always set X-Frame-Options DENY`
			`#Header always set X-Content-Type-Options nosniff`

			`<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">`
			`SSLOptions +StdEnvVars`
			`</FilesMatch>`
			`<Directory "/srv/www/apache/cgi-bin">`
			`SSLOptions +StdEnvVars`
			`</Directory>`

			`BrowserMatch "MSIE [2-5]" \`
			`nokeepalive ssl-unclean-shutdown \`
			`downgrade-1.0 force-response-1.0`

			`CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_request.log ssl_info`
			`CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_browser.log ssl_info_browser`

			`</VirtualHost>`

			`# vim: syntax=apache ts=4 sw=4 sts=4 sr noet`