ServerAdmin webmaster@example.com ServerName auth.example.com ServerAlias www.auth.example.com DocumentRoot /path/to/app Alias /piwik /path/to/piwik AddCharset UTF-8 .html .css .js CustomLog /path/to/http.log combined ErrorLog /path/to/error.log SSLEngine on SSLProtocol all -SSLv2 -SSLv3 # From https://wiki.mozilla.org/Security/Server_Side_TLS#Apache (Nov 2016, Intermediate compat) SSLHonorCipherOrder on SSLCompression off #SSLSessionTickets off SSLUseStapling on # Use HSTS Header add Strict-Transport-Security "max-age=15768000" SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128- # certbot certonly --agree-tos --webroot --non-interactive --agree-tos --email you@example.com --webroot-path /path/to/app/ --domains auth.example.com,www.auth.example.com SSLCertificateFile /etc/certbot/live/auth.example.com/fullchain.pem SSLCertificateKeyFile /etc/certbot/live/auth.example.com/privkey.pem ServerAdmin webmaster@example.com ServerName auth.example.com ServerAlias www.auth.example.com DocumentRoot /path/to/app Alias /piwik /path/to/piwik AddCharset UTF-8 .html .css .js # common catch-all redirect RedirectMatch permanent ^(.*)$ https://auth.example.com/$1 CustomLog /path/to/http.log combined ErrorLog /path/to/error.log # If you symlink app/ to your actual DocumentRoot, you'll need FollowSymLinks here. Options None AllowOverride All Order allow,deny Allow from all