alexcreek/apache-ssl-vhost.conf

## apache-ssl-vhost.conf
<VirtualHost *:443>
    ServerName securesite.com
    ServerAlias www.securesite.com
    DocumentRoot /var/www/securesite.com

    # OCSP Stapling
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000) # place outside <virtualhost></virtualhost>
    SSLCACertificateFile /etc/ssl/ca-certs.pem
    SSLUseStapling on

    # HSTS
    # needs a redirect from a non-https vhost
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    # SSL
    SSLEngine on
    SSLCompression off
    SSLInsecureRenegotiation off
    SSLCertificateFile /etc/apache2/ssl/cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl/cert.pem
    SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem
    SSLHonorCipherOrder on
    SSLProtocol all -SSLv2 -SSLv3
    # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
    # Best
    #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

    # Compatible
</VirtualHost>
	<VirtualHost *:443>
	ServerName securesite.com
	ServerAlias www.securesite.com
	DocumentRoot /var/www/securesite.com

	# OCSP Stapling
	SSLStaplingCache shmcb:/tmp/stapling_cache(128000) # place outside <virtualhost></virtualhost>
	SSLCACertificateFile /etc/ssl/ca-certs.pem
	SSLUseStapling on

	# HSTS
	# needs a redirect from a non-https vhost
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

	# SSL
	SSLEngine on
	SSLCompression off
	SSLInsecureRenegotiation off
	SSLCertificateFile /etc/apache2/ssl/cert.pem
	SSLCertificateKeyFile /etc/apache2/ssl/cert.pem
	SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem
	SSLHonorCipherOrder on
	SSLProtocol all -SSLv2 -SSLv3
	# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
	# Best
	#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

	# Compatible
	</VirtualHost>