Now with a little bit of SSL and Let's Encrypt

- apache.conf
  Include listen.conf AFTER loading modules (ssl)

- mod_ssl
  needs socache_shmcb
  uses mime and setenvif (in vhost)

- mod_alias (for LE/dehydrated)

- sites-available/00[12]-default-ssl.conf (untested!)

apache.conf

@@ -26,13 +26,13 @@ LoadModule authz_core_module /usr/libexec/httpd/mod_authz_core.so
 LoadModule log_config_module /usr/libexec/httpd/mod_log_config.so
 LoadModule unixd_module /usr/libexec/httpd/mod_unixd.so
 
-# Include listen ports
-Include listen.conf
-
 # Admin wants these modules:
 IncludeOptional mods-enabled/*.load
 IncludeOptional mods-enabled/*.conf
 
+# Include listen ports
+Include listen.conf
+
 
 ### Basic security settings
 

mods-available/alias.load

@@ -0,0 +1 @@
+LoadModule alias_module /usr/libexec/httpd/mod_alias.so

mods-available/mime.conf

@@ -0,0 +1,240 @@
+<IfModule mod_mime.c>
+
+	#
+	# TypesConfig points to the file containing the list of mappings from
+	# filename extension to MIME-type.
+	#
+	TypesConfig /etc/apache/mime.types
+
+	#
+	# AddType allows you to add to or override the MIME configuration
+	# file mime.types for specific file types.
+	#
+	#AddType application/x-gzip .tgz
+	#
+	# AddEncoding allows you to have certain browsers uncompress
+	# information on the fly. Note: Not all browsers support this.
+	# Despite the name similarity, the following Add* directives have
+	# nothing to do with the FancyIndexing customization directives above.
+	#
+	#AddEncoding x-compress .Z
+	#AddEncoding x-gzip .gz .tgz
+	#AddEncoding x-bzip2 .bz2
+	#
+	# If the AddEncoding directives above are commented-out, then you
+	# probably should define those extensions to indicate media types:
+	#
+	AddType application/x-compress .Z
+	AddType application/x-gzip .gz .tgz
+	AddType application/x-bzip2 .bz2
+
+	#
+	# DefaultLanguage and AddLanguage allows you to specify the language of 
+	# a document. You can then use content negotiation to give a browser a 
+	# file in a language the user can understand.
+	#
+	# Specify a default language. This means that all data
+	# going out without a specific language tag (see below) will 
+	# be marked with this one. You probably do NOT want to set
+	# this unless you are sure it is correct for all cases.
+	#
+	# * It is generally better to not mark a page as 
+	# * being a certain language than marking it with the wrong
+	# * language!
+	#
+	# DefaultLanguage nl
+	#
+	# Note 1: The suffix does not have to be the same as the language
+	# keyword --- those with documents in Polish (whose net-standard
+	# language code is pl) may wish to use "AddLanguage pl .po" to
+	# avoid the ambiguity with the common suffix for perl scripts.
+	#
+	# Note 2: The example entries below illustrate that in some cases 
+	# the two character 'Language' abbreviation is not identical to 
+	# the two character 'Country' code for its country,
+	# E.g. 'Danmark/dk' versus 'Danish/da'.
+	#
+	# Note 3: In the case of 'ltz' we violate the RFC by using a three char
+	# specifier. There is 'work in progress' to fix this and get
+	# the reference data for rfc1766 cleaned up.
+	#
+	# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
+	# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
+	# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
+	# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
+	# Norwegian (no) - Polish (pl) - Portugese (pt)
+	# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
+	# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
+	#
+	AddLanguage am .amh
+	AddLanguage ar .ara
+	AddLanguage be .be
+	AddLanguage bg .bg
+	AddLanguage bn .bn
+	AddLanguage br .br
+	AddLanguage bs .bs
+	AddLanguage ca .ca
+	AddLanguage cs .cz .cs
+	AddLanguage cy .cy
+	AddLanguage da .dk
+	AddLanguage de .de
+	AddLanguage dz .dz
+	AddLanguage el .el
+	AddLanguage en .en
+	AddLanguage eo .eo
+	# es is ecmascript in /etc/mime.types
+	RemoveType  es
+	AddLanguage es .es
+	AddLanguage et .et
+	AddLanguage eu .eu
+	AddLanguage fa .fa
+	AddLanguage fi .fi
+	AddLanguage fr .fr
+	AddLanguage ga .ga
+	AddLanguage gl .glg
+	AddLanguage gu .gu
+	AddLanguage he .he
+	AddLanguage hi .hi
+	AddLanguage hr .hr
+	AddLanguage hu .hu
+	AddLanguage hy .hy
+	AddLanguage id .id
+	AddLanguage is .is
+	AddLanguage it .it
+	AddLanguage ja .ja
+	AddLanguage ka .ka
+	AddLanguage kk .kk
+	AddLanguage km .km
+	AddLanguage kn .kn
+	AddLanguage ko .ko
+	AddLanguage ku .ku
+	AddLanguage lo .lo
+	AddLanguage lt .lt
+	AddLanguage ltz .ltz
+	AddLanguage lv .lv
+	AddLanguage mg .mg
+	AddLanguage mk .mk
+	AddLanguage ml .ml
+	AddLanguage mr .mr
+	AddLanguage ms .msa
+	AddLanguage nb .nob
+	AddLanguage ne .ne
+	AddLanguage nl .nl
+	AddLanguage nn .nn
+	AddLanguage no .no
+	AddLanguage pa .pa
+	AddLanguage pl .po
+	AddLanguage pt-BR .pt-br
+	AddLanguage pt .pt
+	AddLanguage ro .ro
+	AddLanguage ru .ru
+	AddLanguage sa .sa
+	AddLanguage se .se
+	AddLanguage si .si
+	AddLanguage sk .sk
+	AddLanguage sl .sl
+	AddLanguage sq .sq
+	AddLanguage sr .sr
+	AddLanguage sv .sv
+	AddLanguage ta .ta
+	AddLanguage te .te
+	AddLanguage th .th
+	AddLanguage tl .tl
+	RemoveType  tr
+	# tr is troff in /etc/mime.types
+	AddLanguage tr .tr
+	AddLanguage uk .uk
+	AddLanguage ur .ur
+	AddLanguage vi .vi
+	AddLanguage wo .wo
+	AddLanguage xh .xh
+	AddLanguage zh-CN .zh-cn
+	AddLanguage zh-TW .zh-tw
+
+	#
+	# Commonly used filename extensions to character sets. You probably
+	# want to avoid clashes with the language extensions, unless you
+	# are good at carefully testing your setup after each change.
+	# See http://www.iana.org/assignments/character-sets for the
+	# official list of charset names and their respective RFCs.
+	#
+	AddCharset us-ascii	.ascii .us-ascii
+	AddCharset ISO-8859-1  .iso8859-1  .latin1
+	AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
+	AddCharset ISO-8859-3  .iso8859-3  .latin3
+	AddCharset ISO-8859-4  .iso8859-4  .latin4
+	AddCharset ISO-8859-5  .iso8859-5  .cyr .iso-ru
+	AddCharset ISO-8859-6  .iso8859-6  .arb .arabic
+	AddCharset ISO-8859-7  .iso8859-7  .grk .greek
+	AddCharset ISO-8859-8  .iso8859-8  .heb .hebrew
+	AddCharset ISO-8859-9  .iso8859-9  .latin5 .trk
+	AddCharset ISO-8859-10  .iso8859-10  .latin6
+	AddCharset ISO-8859-13  .iso8859-13
+	AddCharset ISO-8859-14  .iso8859-14  .latin8
+	AddCharset ISO-8859-15  .iso8859-15  .latin9
+	AddCharset ISO-8859-16  .iso8859-16  .latin10
+	AddCharset ISO-2022-JP .iso2022-jp .jis
+	AddCharset ISO-2022-KR .iso2022-kr .kis
+	AddCharset ISO-2022-CN .iso2022-cn .cis
+	AddCharset Big5		.Big5	   .big5 .b5
+	AddCharset cn-Big5	 .cn-big5
+	# For russian, more than one charset is used (depends on client, mostly):
+	AddCharset WINDOWS-1251 .cp-1251   .win-1251
+	AddCharset CP866	   .cp866
+	AddCharset KOI8	  .koi8
+	AddCharset KOI8-E	  .koi8-e
+	AddCharset KOI8-r	  .koi8-r .koi8-ru
+	AddCharset KOI8-U	  .koi8-u
+	AddCharset KOI8-ru	 .koi8-uk .ua
+	AddCharset ISO-10646-UCS-2 .ucs2
+	AddCharset ISO-10646-UCS-4 .ucs4
+	AddCharset UTF-7	   .utf7
+	AddCharset UTF-8	   .utf8
+	AddCharset UTF-16	  .utf16
+	AddCharset UTF-16BE	.utf16be
+	AddCharset UTF-16LE	.utf16le
+	AddCharset UTF-32	  .utf32
+	AddCharset UTF-32BE	.utf32be
+	AddCharset UTF-32LE	.utf32le
+	AddCharset euc-cn	  .euc-cn
+	AddCharset euc-gb	  .euc-gb
+	AddCharset euc-jp	  .euc-jp
+	AddCharset euc-kr	  .euc-kr
+	#Not sure how euc-tw got in - IANA doesn't list it???
+	AddCharset EUC-TW	  .euc-tw
+	AddCharset gb2312	  .gb2312 .gb
+	AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
+	AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
+	AddCharset shift_jis   .shift_jis .sjis
+	AddCharset BRF		 .brf
+
+	#
+	# AddHandler allows you to map certain file extensions to "handlers":
+	# actions unrelated to filetype. These can be either built into the server
+	# or added with the Action directive (see below)
+	#
+	# To use CGI scripts outside of ScriptAliased directories:
+	# (You will also need to add "ExecCGI" to the "Options" directive.)
+	#
+	#AddHandler cgi-script .cgi
+
+	#
+	# For files that include their own HTTP headers:
+	#
+	#AddHandler send-as-is asis
+
+	#
+	# For server-parsed imagemap files:
+	#
+	#AddHandler imap-file map
+
+	#
+	# For type maps (negotiated resources):
+	# (This is enabled by default to allow the Apache "It Worked" page
+	#  to be distributed in multiple languages.)
+	#
+	AddHandler type-map var
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

mods-available/mime.load

@@ -0,0 +1 @@
+LoadModule mime_module /usr/libexec/httpd/mod_mime.so

mods-available/setenvif.conf

@@ -0,0 +1,32 @@
+<IfModule mod_setenvif.c>
+
+	#
+	# The following directives modify normal HTTP response behavior to
+	# handle known problems with browser implementations.
+	#
+	BrowserMatch "Mozilla/2" nokeepalive
+	BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+	BrowserMatch "RealPlayer 4\.0" force-response-1.0
+	BrowserMatch "Java/1\.0" force-response-1.0
+	BrowserMatch "JDK/1\.0" force-response-1.0
+
+	#
+	# The following directive disables redirects on non-GET requests for
+	# a directory that does not include the trailing slash.  This fixes a
+	# problem with Microsoft WebFolders which does not appropriately handle
+	# redirects for folders with DAV methods.
+	# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+	#
+	BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+	BrowserMatch "MS FrontPage" redirect-carefully
+	BrowserMatch "^WebDrive" redirect-carefully
+	BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+	BrowserMatch "^gnome-vfs/1.0" redirect-carefully
+	BrowserMatch "^gvfs/1" redirect-carefully
+	BrowserMatch "^XML Spy" redirect-carefully
+	BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+	BrowserMatch " Konqueror/4" redirect-carefully
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

mods-available/setenvif.load

@@ -0,0 +1 @@
+LoadModule setenvif_module /usr/libexec/httpd/mod_setenvif.so

mods-available/socache_shmcb.load

@@ -0,0 +1 @@
+LoadModule socache_shmcb_module /usr/libexec/httpd/mod_socache_shmcb.so

mods-available/ssl.conf

@@ -0,0 +1,90 @@
+<IfModule mod_ssl.c>
+
+	# Pseudo Random Number Generator (PRNG):
+	# Configure one or more sources to seed the PRNG of the SSL library.
+	# The seed data should be of good random quality.
+	# WARNING! On some platforms /dev/random blocks if not enough entropy
+	# is available. This means you then cannot use the /dev/random device
+	# because it would lead to very long connection times (as long as
+	# it requires to make more entropy available). But usually those
+	# platforms additionally provide a /dev/urandom device which doesn't
+	# block. So, if available, use this one instead. Read the mod_ssl User
+	# Manual for more details.
+	#
+	SSLRandomSeed startup builtin
+	SSLRandomSeed startup file:/dev/urandom 512
+	SSLRandomSeed connect builtin
+	SSLRandomSeed connect file:/dev/urandom 512
+
+	##
+	##  SSL Global Context
+	##
+	##  All SSL configuration in this context applies both to
+	##  the main server and all SSL-enabled virtual hosts.
+	##
+
+	#
+	#   Some MIME-types for downloading Certificates and CRLs
+	#
+	<IfModule mod_mime.c>
+		AddType application/x-x509-ca-cert .crt
+		AddType application/x-pkcs7-crl	.crl
+	</IfModule>
+
+	#   Pass Phrase Dialog:
+	#   Configure the pass phrase gathering process.
+	#   The filtering dialog program (`builtin' is a internal
+	#   terminal dialog) has to provide the pass phrase on stdout.
+	SSLPassPhraseDialog  builtin
+
+	#   Inter-Process Session Cache:
+	#   Configure the SSL Session Cache: First the mechanism 
+	#   to use and second the expiring timeout (in seconds).
+	#   (The mechanism dbm has known memory leaks and should not be used).
+	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
+	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+	SSLSessionCacheTimeout  300
+
+	#   Semaphore:
+	#   Configure the path to the mutual exclusion semaphore the
+	#   SSL engine uses internally for inter-process synchronization. 
+	#   (Disabled by default, the global Mutex directive consolidates by default
+	#   this)
+	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
+
+
+	#   SSL Cipher Suite:
+	#   List the ciphers that the client is permitted to negotiate. See the
+	#   ciphers(1) man page from the openssl package for list of all available
+	#   options.
+	#   Enable only secure ciphers:
+	SSLCipherSuite HIGH:!aNULL
+
+	# SSL server cipher order preference:
+	# Use server priorities for cipher algorithm choice.
+	# Clients may prefer lower grade encryption.  You should enable this
+	# option if you want to enforce stronger encryption, and can afford
+	# the CPU cost, and did not override SSLCipherSuite in a way that puts
+	# insecure ciphers first.
+	# Default: Off
+	#SSLHonorCipherOrder on
+
+	#   The protocols to enable.
+	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+	#   SSL v2  is no longer supported
+	SSLProtocol all -SSLv3
+
+	#   Allow insecure renegotiation with clients which do not yet support the
+	#   secure renegotiation protocol. Default: Off
+	#SSLInsecureRenegotiation on
+
+	#   Whether to forbid non-SNI clients to access name based virtual hosts.
+	#   Default: Off
+	#SSLStrictSNIVHostCheck On
+
+</IfModule>
+
+LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ssl_info
+LogFormat "%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{User-Agent}i\"" ssl_info_browser
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

mods-available/ssl.load

@@ -0,0 +1,3 @@
+# Depends: socache_shmcb
+# Suggests: setenvif mime
+LoadModule ssl_module /usr/libexec/httpd/mod_ssl.so

sites-available/001-default-ssl.conf

@@ -0,0 +1,172 @@
+<VirtualHost _default_:443>
+
+	#   General setup for the virtual host
+	DocumentRoot "/srv/www/apache"
+	#ServerName www.example.com:443
+	ServerAdmin webmaster@localhost
+	ErrorLog ${APACHE_LOG_DIR}/001-default-ssl.error.log
+	CustomLog ${APACHE_LOG_DIR}/001-default-ssl.access.log combined
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+
+	#   Server Certificate:
+	#   Point SSLCertificateFile at a PEM encoded certificate.  If
+	#   the certificate is encrypted, then you will be prompted for a
+	#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
+	#   in mind that if you have both an RSA and a DSA certificate you
+	#   can configure both in parallel (to also allow the use of DSA
+	#   ciphers, etc.)
+	#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+	#   require an ECC certificate which can also be configured in
+	#   parallel.
+	SSLCertificateFile "/etc/apache/server.crt"
+	#SSLCertificateFile "/etc/apache/server-dsa.crt"
+	#SSLCertificateFile "/etc/apache/server-ecc.crt"
+
+	#   Server Private Key:
+	#   If the key is not combined with the certificate, use this
+	#   directive to point at the key file.  Keep in mind that if
+	#   you've both a RSA and a DSA private key you can configure
+	#   both in parallel (to also allow the use of DSA ciphers, etc.)
+	#   ECC keys, when in use, can also be configured in parallel
+	SSLCertificateKeyFile "/etc/apache/server.key"
+	#SSLCertificateKeyFile "/etc/apache/server-dsa.key"
+	#SSLCertificateKeyFile "/etc/apache/server-ecc.key"
+
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded CA certificates which form the
+	#   certificate chain for the server certificate. Alternatively
+	#   the referenced file can be the same as SSLCertificateFile
+	#   when the CA certificates are directly appended to the server
+	#   certificate for convenience.
+	#SSLCertificateChainFile "/etc/apache/server-ca.crt"
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCACertificatePath "/etc/apache/ssl.crt"
+	#SSLCACertificateFile "/etc/apache/ssl.crt/ca-bundle.crt"
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded).
+	#   The CRL checking mode needs to be configured explicitly
+	#   through SSLCARevocationCheck (defaults to "none" otherwise).
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath "/etc/apache/ssl.crl"
+	#SSLCARevocationFile "/etc/apache/ssl.crl/ca-bundle.crl"
+	#SSLCARevocationCheck chain
+
+	#   Client Authentication (Type):
+	#   Client certificate verification type and depth.  Types are
+	#   none, optional, require and optional_no_ca.  Depth is a
+	#   number which specifies how deeply to verify the certificate
+	#   issuer chain before deciding the certificate is not valid.
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#   TLS-SRP mutual authentication:
+	#   Enable TLS-SRP and set the path to the OpenSSL SRP verifier
+	#   file (containing login information for SRP user accounts). 
+	#   Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
+	#   detailed instructions on creating this file. Example:
+	#   "openssl srp -srpvfile /etc/apache/passwd.srpv -add username"
+	#SSLSRPVerifierFile "/etc/apache/passwd.srpv"
+
+	#   Access Control:
+	#   With SSLRequire you can do per-directory access control based
+	#   on arbitrary complex boolean expressions containing server
+	#   variable checks and other lookup directives.  The syntax is a
+	#   mixture between C and Perl.  See the mod_ssl documentation
+	#   for more details.
+	#<Location />
+	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+	#</Location>
+
+	#   SSL Engine Options:
+	#   Set various options for the SSL engine.
+	#   o FakeBasicAuth:
+	#     Translate the client X.509 into a Basic Authorisation.  This means that
+	#     the standard Auth/DBMAuth methods can be used for access control.  The
+	#     user name is the `one line' version of the client's X.509 certificate.
+	#     Note that no password is obtained from the user. Every entry in the user
+	#     file needs this password: `xxj31ZMTZzkVA'.
+	#   o ExportCertData:
+	#     This exports two additional environment variables: SSL_CLIENT_CERT and
+	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+	#     server (always existing) and the client (only existing when client
+	#     authentication is used). This can be used to import the certificates
+	#     into CGI scripts.
+	#   o StdEnvVars:
+	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+	#     Per default this exportation is switched off for performance reasons,
+	#     because the extraction step is an expensive operation and is usually
+	#     useless for serving static content. So one usually enables the
+	#     exportation for CGI and SSI requests only.
+	#   o StrictRequire:
+	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+	#     under a "Satisfy any" situation, i.e. when it applies access is denied
+	#     and no other module can change it.
+	#   o OptRenegotiate:
+	#     This enables optimized SSL connection renegotiation handling when SSL
+	#     directives are used in per-directory context. 
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+	    SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory "/srv/www/apache/cgi-bin">
+	    SSLOptions +StdEnvVars
+	</Directory>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#     This forces an unclean shutdown when the connection is closed, i.e. no
+	#     SSL close notify alert is sent or allowed to be received.  This violates
+	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#     this when you receive I/O errors because of the standard approach where
+	#     mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#     This forces an accurate shutdown when the connection is closed, i.e. a
+	#     SSL close notify alert is send and mod_ssl waits for the close notify
+	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#     practice often causes hanging connections with brain-dead browsers. Use
+	#     this only for browsers where you know that their SSL implementation
+	#     works correctly. 
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	BrowserMatch "MSIE [2-5]" \
+		 nokeepalive ssl-unclean-shutdown \
+		 downgrade-1.0 force-response-1.0
+
+	#   Per-Server Logging:
+	#   The home of a custom SSL log file. Use this when you want a
+	#   compact non-error SSL logfile on a virtual host basis.
+	CustomLog "/var/log/httpd/ssl_request_log" \
+		  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>                                  
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

sites-available/002-default-ssl.conf

@@ -0,0 +1,46 @@
+<VirtualHost _default_:443>
+
+	DocumentRoot "/srv/www/apache"
+	#ServerName www.example.com:443
+	ServerAdmin webmaster@localhost
+	ErrorLog ${APACHE_LOG_DIR}/002-default-ssl.error.log
+	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.access.log combined
+
+	SSLEngine on
+	SSLCertificateFile "/etc/apache/server.crt"
+	SSLCertificateKeyFile "/etc/apache/server.key"
+	#SSLCertificateChainFile "/etc/apache/server-ca.crt"
+
+	#SSLProtocol		All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+	SSLProtocol		All -SSLv2 -SSLv3
+	SSLCipherSuite		EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+	SSLHonorCipherOrder	On
+
+	SSLCompression		off 
+	SSLUseStapling		on 
+	
+	SSLStaplingCache	"shmcb:logs/stapling-cache(150000)" 
+	# Requires Apache >= 2.4.11
+	SSLSessionTickets	Off
+            
+	#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+	#Header always set X-Frame-Options DENY
+	#Header always set X-Content-Type-Options nosniff
+
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+	    SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory "/srv/www/apache/cgi-bin">
+	    SSLOptions +StdEnvVars
+	</Directory>
+
+	BrowserMatch "MSIE [2-5]" \
+		 nokeepalive ssl-unclean-shutdown \
+		 downgrade-1.0 force-response-1.0
+
+	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_request.log ssl_info
+	CustomLog ${APACHE_LOG_DIR}/002-default-ssl.ssl_browser.log ssl_info_browser
+
+</VirtualHost>                                  
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet