--- /dev/null
+<VirtualHost *:443>
+ ServerAdmin webmaster@example.com
+ ServerName auth.example.com
+ ServerAlias www.auth.example.com
+ DocumentRoot /path/to/app
+
+ Alias /piwik /path/to/piwik
+
+ AddCharset UTF-8 .html .css .js
+
+ CustomLog /path/to/http.log combined
+ ErrorLog /path/to/error.log
+
+ SSLEngine on
+ SSLProtocol all -SSLv2 -SSLv3
+ # From https://wiki.mozilla.org/Security/Server_Side_TLS#Apache (Nov 2016, Intermediate compat)
+ SSLHonorCipherOrder on
+ SSLCompression off
+ #SSLSessionTickets off
+ SSLUseStapling on
+ # Use HSTS
+ Header add Strict-Transport-Security "max-age=15768000"
+
+ SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-
+
+ # certbot certonly --agree-tos --webroot --non-interactive --agree-tos --email you@example.com --webroot-path /path/to/app/ --domains auth.example.com,www.auth.example.com
+ SSLCertificateFile /etc/certbot/live/auth.example.com/fullchain.pem
+ SSLCertificateKeyFile /etc/certbot/live/auth.example.com/privkey.pem
+</VirtualHost>
+<VirtualHost *:80>
+ ServerAdmin webmaster@example.com
+ ServerName auth.example.com
+ ServerAlias www.auth.example.com
+ DocumentRoot /path/to/app
+
+ Alias /piwik /path/to/piwik
+
+ AddCharset UTF-8 .html .css .js
+
+ # common catch-all redirect
+ RedirectMatch permanent ^(.*)$ https://auth.example.com/$1
+
+ CustomLog /path/to/http.log combined
+ ErrorLog /path/to/error.log
+</VirtualHost>
+<Directory "/path/to/">
+ # If you symlink app/ to your actual DocumentRoot, you'll need FollowSymLinks here.
+ Options None
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+</Directory>