# Load and configure SSL module LoadModule ssl_module libexec/apache24/mod_ssl.so SSLProtocol +TLSv1.3 +TLSv1.2 SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLCompression off # Load and configure SSL session cache module LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so SSLSessionCache dbm:/var/db/httpd_ssl_cache.db # Load and configure Managed Domain module LoadModule watchdog_module libexec/apache24/mod_watchdog.so LoadModule md_module libexec/apache24/mod_md.so MDCertificateAgreement accepted MDContactEmail acme@example.com # Load Rewrite module (needed for HTTP -> HTTPS redirect) LoadModule rewrite_module libexec/apache24/mod_rewrite.so # Load Headers module (needed for HSTS) LoadModule headers_module libexec/apache24/mod_headers.so # Listen on port 443 for HTTPS Listen 443 # Server name and admin email ServerName server.example.com ServerAdmin www@example.com # HTTP-only ServerName localhost Require ip 127.0.0.1/8 ::1 SetHandler md-status # Declare site.example.com as a managed domain MDomain site.example.com # HTTP virtual host for legacy reasons, redirects to HTTPS ServerName site.example.com RewriteEngine on RewriteRule "^/(?!.well-known/acme-challenge)(.*)" https://site.example.com/$1 [R=301,L] ErrorLog /www/site.example.com/logs/http-error.log CustomLog /www/site.example.com/logs/http-access.log combined # HTTPS virtual host with strict SNI and HSTS ServerName site.example.com SSLEngine on SSLStrictSNIVHostCheck On Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;" DocumentRoot /www/site.example.com/data IncludeOptional /www/site.example.com/etc/*.conf ErrorLog /www/site.example.com/logs/https-error.log CustomLog /www/site.example.com/logs/https-access.log combined