# Load and configure SSL module
LoadModule ssl_module libexec/apache24/mod_ssl.so
SSLProtocol +TLSv1.3 +TLSv1.2
SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLCompression off
# Load and configure SSL session cache module
LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
SSLSessionCache dbm:/var/db/httpd_ssl_cache.db
# Load and configure Managed Domain module
LoadModule watchdog_module libexec/apache24/mod_watchdog.so
LoadModule md_module libexec/apache24/mod_md.so
MDCertificateAgreement accepted
MDContactEmail acme@example.com
# Load Rewrite module (needed for HTTP -> HTTPS redirect)
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
# Load Headers module (needed for HSTS)
LoadModule headers_module libexec/apache24/mod_headers.so
# Listen on port 443 for HTTPS
Listen 443
# Server name and admin email
ServerName server.example.com
ServerAdmin www@example.com
# HTTP-only
ServerName localhost
Require ip 127.0.0.1/8 ::1
SetHandler md-status
# Declare site.example.com as a managed domain
MDomain site.example.com
# HTTP virtual host for legacy reasons, redirects to HTTPS
ServerName site.example.com
RewriteEngine on
RewriteRule "^/(?!.well-known/acme-challenge)(.*)" https://site.example.com/$1 [R=301,L]
ErrorLog /www/site.example.com/logs/http-error.log
CustomLog /www/site.example.com/logs/http-access.log combined
# HTTPS virtual host with strict SNI and HSTS
ServerName site.example.com
SSLEngine on
SSLStrictSNIVHostCheck On
Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;"
DocumentRoot /www/site.example.com/data
IncludeOptional /www/site.example.com/etc/*.conf
ErrorLog /www/site.example.com/logs/https-error.log
CustomLog /www/site.example.com/logs/https-access.log combined