ServerAdmin webmaster@example.com
ServerName auth.example.com
ServerAlias www.auth.example.com
DocumentRoot /path/to/app
Alias /piwik /path/to/piwik
AddCharset UTF-8 .html .css .js
CustomLog /path/to/http.log combined
ErrorLog /path/to/error.log
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
# From https://wiki.mozilla.org/Security/Server_Side_TLS#Apache (Nov 2016, Intermediate compat)
SSLHonorCipherOrder on
SSLCompression off
#SSLSessionTickets off
SSLUseStapling on
# Use HSTS
Header add Strict-Transport-Security "max-age=15768000"
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-
# certbot certonly --agree-tos --webroot --non-interactive --agree-tos --email you@example.com --webroot-path /path/to/app/ --domains auth.example.com,www.auth.example.com
SSLCertificateFile /etc/certbot/live/auth.example.com/fullchain.pem
SSLCertificateKeyFile /etc/certbot/live/auth.example.com/privkey.pem
ServerAdmin webmaster@example.com
ServerName auth.example.com
ServerAlias www.auth.example.com
DocumentRoot /path/to/app
Alias /piwik /path/to/piwik
AddCharset UTF-8 .html .css .js
# common catch-all redirect
RedirectMatch permanent ^(.*)$ https://auth.example.com/$1
CustomLog /path/to/http.log combined
ErrorLog /path/to/error.log
# If you symlink app/ to your actual DocumentRoot, you'll need FollowSymLinks here.
Options None
AllowOverride All
Order allow,deny
Allow from all