dkrusky/apache-secure-virtualhost.conf

## apache-secure-virtualhost.conf
# Enable stapling. This should only be enabled ONCE and is server-wide.
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling_cache(128000)"

# Enable strict transport
<IfModule mod_headers.c>
	Header Always set Strict-Transport-Security "max-age=15638400; preload" env=HTTPS
	#Header Always set Strict-Transport-Security "max-age=15638400; includeSubdomains; preload" env=HTTPS
</IfModule>

<VirtualHost yourwebsite.tld:443>
	ServerName yourwebsite.tld
	ServerAdmin webmaster@yourwebsite.tld
	DocumentRoot /var/www/html/

	# suexec support. make sure to create the appropriate
	# user and assign proper permissions
	<IfModule mod_suexec.c>
		SuexecUserGroup suexecuser suexecgroup
	</IfModule>

	# XSendFile support
	<IfModule mod_xsendfile.c>
		XSendFile on
		XSendFilePath /var/www/html/downloads/
	</IfModule>

	# Disable caching, set HPKP
	<IfModule mod_headers.c>
		Header Always set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
		Header Always set Pragma "no-cache"
		Header always set Public-Key-Pins "pin-sha256=\"<PIN1>\"; pin-sha256=\"<PIN2>\"; max-age=5184000"
	</IfModule>

	<Directory /var/www/html/>
		Options -Indexes +FollowSymLinks
		SSLRequireSSL
		AllowOverride all
		Require all granted
	</Directory>

	<Directory /var/www/html/crons/>
		AllowOverride none
		Require all denied
	</Directory>


	# SSL/TLS settings. Not compatible with IE on windows XP, and Java 6
	SSLEngine ON
	SSLProtocol -all -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
	SSLCipherSuite -LOW:AESGCM:AES:!kRSA:!kPSK:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!ADH
	SSLStrictSNIVHostCheck Off
	SSLCompression off

	SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	SSLHonorCipherOrder on

	# Your certificate stuff here.
	SSLCertificateFile /etc/apache2/certificate/ssl.crt
	SSLCertificateKeyFile /etc/apache2/certificate/ssl.key
	SSLCACertificateFile /etc/apache2/certificate/intermediate.crt
</VirtualHost>
	# Enable stapling. This should only be enabled ONCE and is server-wide.
	SSLUseStapling on
	SSLStaplingCache "shmcb:logs/stapling_cache(128000)"

	# Enable strict transport
	<IfModule mod_headers.c>
	Header Always set Strict-Transport-Security "max-age=15638400; preload" env=HTTPS
	#Header Always set Strict-Transport-Security "max-age=15638400; includeSubdomains; preload" env=HTTPS
	</IfModule>

	<VirtualHost yourwebsite.tld:443>
	ServerName yourwebsite.tld
	ServerAdmin webmaster@yourwebsite.tld
	DocumentRoot /var/www/html/

	# suexec support. make sure to create the appropriate
	# user and assign proper permissions
	<IfModule mod_suexec.c>
	SuexecUserGroup suexecuser suexecgroup
	</IfModule>

	# XSendFile support
	<IfModule mod_xsendfile.c>
	XSendFile on
	XSendFilePath /var/www/html/downloads/
	</IfModule>

	# Disable caching, set HPKP
	<IfModule mod_headers.c>
	Header Always set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
	Header Always set Pragma "no-cache"
	Header always set Public-Key-Pins "pin-sha256=\"<PIN1>\"; pin-sha256=\"<PIN2>\"; max-age=5184000"
	</IfModule>

	<Directory /var/www/html/>
	Options -Indexes +FollowSymLinks
	SSLRequireSSL
	AllowOverride all
	Require all granted
	</Directory>

	<Directory /var/www/html/crons/>
	AllowOverride none
	Require all denied
	</Directory>


	# SSL/TLS settings. Not compatible with IE on windows XP, and Java 6
	SSLEngine ON
	SSLProtocol -all -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
	SSLCipherSuite -LOW:AESGCM:AES:!kRSA:!kPSK:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!ADH
	SSLStrictSNIVHostCheck Off
	SSLCompression off

	SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	SSLHonorCipherOrder on

	# Your certificate stuff here.
	SSLCertificateFile /etc/apache2/certificate/ssl.crt
	SSLCertificateKeyFile /etc/apache2/certificate/ssl.key
	SSLCACertificateFile /etc/apache2/certificate/intermediate.crt
	</VirtualHost>