d-a-l/mastodon-le-ssl.conf

## mastodon-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>

	ServerName <my domain>
	ServerAdmin webmaster@<my domain>

	DocumentRoot /home/mastodon/live/public/
	<Directory "/home/mastodon/live/public">
		Options Indexes MultiViews FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	<IfModule mod_headers.c>
		Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		Header always set Referrer-Policy "strict-origin-when-cross-origin"
	</IfModule>

	<LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)">
		Header always set Cache-Control "public, max-age=31536000, immutable"
		Require all granted
	</LocationMatch>

	SSLEngine on
	SSLProtocol -all +TLSv1.2
	SSLHonorCipherOrder on
	SSLCipherSuite EECDH+AESGCM:AES256+EECDH:AES128+EECDH
	SSLProxyEngine On

	RequestHeader set X-Forwarded-Proto "https"

	ProxyPreserveHost On

	ProxyPass /robots.txt !
	ProxyPass /500.html !
	ProxyPass /sw.js !

	ProxyPass /manifest.json !
	ProxyPass /browserconfig.xml !
	ProxyPass /mask-icon.svg !
	ProxyPassMatch ^(/.*\.(png|ico)$) !
	ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !

	# these lines don't let webfinger to work properly!
	# users of other instances will not be able to follow you
	#ProxyPass /.well-known/ https://<my domain>/webfinger/.well-known/
	#ProxyPassReverse /.well-known/ https://<my domain>/webfinger/.well-known/

	ProxyPass /api/v1/streaming http://localhost:4000/
	ProxyPassReverse /api/v1/streaming http://localhost:4000/

	ProxyPass / http://localhost:3000/
	ProxyPassReverse / http://localhost:3000/

	ErrorDocument 500 /500.html
	ErrorDocument 501 /500.html
	ErrorDocument 502 /500.html
	ErrorDocument 503 /500.html
	ErrorDocument 504 /500.html


	ErrorLog ${APACHE_LOG_DIR}/mastodon-error.log
	CustomLog ${APACHE_LOG_DIR}/mastodon-access.log combined


	RewriteEngine on

	SSLCertificateFile <path to fullchain.pem>
	SSLCertificateKeyFile <path to privkey.pem>
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
	<IfModule mod_ssl.c>
	<VirtualHost *:443>

	ServerName <my domain>
	ServerAdmin webmaster@<my domain>

	DocumentRoot /home/mastodon/live/public/
	<Directory "/home/mastodon/live/public">
	Options Indexes MultiViews FollowSymLinks
	AllowOverride None
	Require all granted
	</Directory>

	<IfModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	Header always set Referrer-Policy "strict-origin-when-cross-origin"
	</IfModule>

	<LocationMatch "^/(assets\|avatars\|emoji\|headers\|packs\|sounds\|system)">
	Header always set Cache-Control "public, max-age=31536000, immutable"
	Require all granted
	</LocationMatch>

	SSLEngine on
	SSLProtocol -all +TLSv1.2
	SSLHonorCipherOrder on
	SSLCipherSuite EECDH+AESGCM:AES256+EECDH:AES128+EECDH
	SSLProxyEngine On

	RequestHeader set X-Forwarded-Proto "https"

	ProxyPreserveHost On

	ProxyPass /robots.txt !
	ProxyPass /500.html !
	ProxyPass /sw.js !

	ProxyPass /manifest.json !
	ProxyPass /browserconfig.xml !
	ProxyPass /mask-icon.svg !
	ProxyPassMatch ^(/.*\.(png\|ico)$) !
	ProxyPassMatch ^/(assets\|avatars\|emoji\|headers\|packs\|sounds\|system\|.well-known/acme-challenge) !

	# these lines don't let webfinger to work properly!
	# users of other instances will not be able to follow you
	#ProxyPass /.well-known/ https://<my domain>/webfinger/.well-known/
	#ProxyPassReverse /.well-known/ https://<my domain>/webfinger/.well-known/

	ProxyPass /api/v1/streaming http://localhost:4000/
	ProxyPassReverse /api/v1/streaming http://localhost:4000/

	ProxyPass / http://localhost:3000/
	ProxyPassReverse / http://localhost:3000/

	ErrorDocument 500 /500.html
	ErrorDocument 501 /500.html
	ErrorDocument 502 /500.html
	ErrorDocument 503 /500.html
	ErrorDocument 504 /500.html


	ErrorLog ${APACHE_LOG_DIR}/mastodon-error.log
	CustomLog ${APACHE_LOG_DIR}/mastodon-access.log combined


	RewriteEngine on

	SSLCertificateFile <path to fullchain.pem>
	SSLCertificateKeyFile <path to privkey.pem>
	Include /etc/letsencrypt/options-ssl-apache.conf
	</VirtualHost>
	</IfModule>