nbeguier/apache2.conf

## apache2.conf
# Hide server version on error pages
ServerSignature Off
# Only return Apache in server header
ServerTokens Prod

<VirtualHost *:443>
 ServerName mywebserver.domain.net
 DocumentRoot /var/www/web
 SSLEngine on
 SSLCertificateFile /etc/apache2/ssl/server.pem
 SSLCertificateKeyFile /etc/apache2/ssl/server.key
 SSLCACertificateFile /etc/apache2/ssl/ca.pem

 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

 # Compilation of the top cipher suites 2024
 # https://ssl-config.mozilla.org/#server=apache
 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305

 # Perfect Forward Secrecy(PFS) is frequently compromised without this
 SSLHonorCipherOrder on

 SSLSessionTickets off

 # Enable SSL session caching for improved performance
 SSLSessionCacheTimeout 300
 SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"

 # OCSP stapling
 SSLUseStapling on
 SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

 SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

 # Security headers
 ## X-Content-Type-Options
 Header set X-Content-Type-Options "nosniff"

 ## Content-Security-Policy
 Header set Content-Security-Policy "frame-ancestors 'self';"

 ## Strict Transport Security (HSTS)
 Header set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"

 # Log
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
	# Hide server version on error pages
	ServerSignature Off
	# Only return Apache in server header
	ServerTokens Prod

	<VirtualHost *:443>
	ServerName mywebserver.domain.net
	DocumentRoot /var/www/web
	SSLEngine on
	SSLCertificateFile /etc/apache2/ssl/server.pem
	SSLCertificateKeyFile /etc/apache2/ssl/server.key
	SSLCACertificateFile /etc/apache2/ssl/ca.pem

	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

	# Compilation of the top cipher suites 2024
	# https://ssl-config.mozilla.org/#server=apache
	SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305

	# Perfect Forward Secrecy(PFS) is frequently compromised without this
	SSLHonorCipherOrder on

	SSLSessionTickets off

	# Enable SSL session caching for improved performance
	SSLSessionCacheTimeout 300
	SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"

	# OCSP stapling
	SSLUseStapling on
	SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

	SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

	# Security headers
	## X-Content-Type-Options
	Header set X-Content-Type-Options "nosniff"

	## Content-Security-Policy
	Header set Content-Security-Policy "frame-ancestors 'self';"

	## Strict Transport Security (HSTS)
	Header set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"

	# Log
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	</VirtualHost>