Generically Redirect HTTP TO HTTPS
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
Redirect to FQDN
<VirtualHost *:443>
ServerName myserver
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.crt
SSLCertificateKeyFile /etc/ssl/private/key.key
SSLCACertificateFile /etc/ssl/certs/ca.pem
RewriteEngine On
RewriteRule ^/(.*)$ https://myserver.fqdn.com/$1 [R,L]
</VirtualHost>
Set Server-Admin Mail Address
ServerAdmin mymail@mydomain.com
Set Expires Header
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresDefault "access plus 7 days"
</IfModule>
Header Security and Cache-Control
<ifmodule mod_headers.c>
Header unset Cache-Control
Header unset Server
Header unset X-Powered-By
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Xss-Protection "1; mode=block"
<filesmatch "\\.(ico|jpe?g|png|gif|swf)\\$">
Header set Cache-Control "max-age=2592000, public"
</filesmatch>
<filesmatch "\\.(css)\\$">
Header set Cache-Control "max-age=604800, public"
</filesmatch>
<filesmatch "\\.(js)\\$">
Header set Cache-Control "max-age=604800, public"
</filesmatch>
</ifmodule>
Gzip Compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-shockwave-flash
AddOutputFilterByType DEFLATE application/json
</IfModule>
SSL Super Strong Security Settings
Please consider activating HSTS. If you do, your complete domain will be listed for HSTS preloading. There is no change to get it deleted from the HSTS Preload list!
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Header always set X-Frame-Options DENY
# Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
HTTPS Website
<VirtualHost *:443>
ServerName myserver.fqdn.com
ServerAdmin mymail@mydomain.com
DocumentRoot /var/www/html/
<Directory /var/www/html/>
AllowOverride All
Require all granted
</Directory>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.crt
SSLCertificateKeyFile /etc/ssl/private/key.key
SSLCACertificateFile /etc/ssl/certs/ca.pem
</VirtualHost>