Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/run/httpd/sslcache(1024000)"
SSLSessionCacheTimeout 3600
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite "TLS_AES_128_GCM_SHA256 \
TLS_AES_256_GCM_SHA384 \
TLS_CHACHA20_POLY1305_SHA256 \
ECDHE-ECDSA-AES128-GCM-SHA256 \
ECDHE-ECDSA-AES256-GCM-SHA384 \
ECDHE-ECDSA-AES128-SHA \
ECDHE-ECDSA-AES256-SHA \
ECDHE-ECDSA-AES128-SHA256 \
ECDHE-ECDSA-AES256-SHA384 \
ECDHE-RSA-AES128-GCM-SHA256 \
ECDHE-RSA-AES256-GCM-SHA384 \
ECDHE-RSA-AES128-SHA \
ECDHE-RSA-AES256-SHA \
ECDHE-RSA-AES128-SHA256 \
ECDHE-RSA-AES256-SHA384 \
DHE-RSA-AES128-GCM-SHA256 \
DHE-RSA-AES256-GCM-SHA384 \
DHE-RSA-AES128-SHA \
DHE-RSA-AES256-SHA \
DHE-RSA-AES128-SHA256 \
DHE-RSA-AES256-SHA256 \
EDH-RSA-DES-CBC3-SHA"
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling On
SSLStaplingCache shmcb:/run/httpd/stapling_cache(128000)
############# MAINHOST.COM ################
ServerName www.mainhost.com
ServerAlias mainhost.com
DocumentRoot "/usr/local/apache2/htdocs"
AddDefaultCharset UTF-8
Protocols h2 http/1.1
SetOutputFilter BROTLI_COMPRESS;DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip no-brotli dont-vary
SSLEngine on
Header always set Strict-Transport-Security "max-age=31536000"
#SSLCertificateFile /etc/pki/tls/certs/server.crt
#SSLCertificateKeyFile /etc/pki/tls/private/server.key
#Let's encrypt(wildcard)
SSLCertificateFile /etc/letsencrypt/live/mainhost.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mainhost.com/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/mainhost.com/chain.pem
ErrorLog "logs/https-error_log"
CustomLog "logs/https-access_log" combined
############# EXAMPLE.COM ################
ServerName www.example.com
ServerAlias example.com
DocumentRoot "/usr/local/apache2/htdocs/example.com"
AddDefaultCharset UTF-8
Protocols h2 http/1.1
SetOutputFilter BROTLI_COMPRESS;DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip no-brotli dont-vary
SSLEngine on
Header always set Strict-Transport-Security "max-age=31536000"
#SSLCertificateFile /etc/pki/tls/certs/server.crt
#SSLCertificateKeyFile /etc/pki/tls/private/server.key
#Let's encrypt
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ErrorLog "logs/https-error_log"
CustomLog "logs/https-access_log" combined