<Macro HTTP2HTTPS $domain>
<VirtualHost *:80>
ServerName $domain
- Redirect permanent / https://$domain/
+ # Apparently you need the rewrite engine to implement
+ # a simple "redirect all except for..." policy. Amazing.
+ RewriteEngine on
+ # Do *not* redirect the acme-challenge dir to https, since otherwise the
+ # challenge cannot be fetched when there is no certificate yet for this domain.
+ RewriteRule ^/\.well-known/acme-challenge/(.*) /srv/acme-challenge/$1 [L]
+ # Make the upgrade to HTTPS a "permanent" redirect.
+ RewriteRule ^/(.*) https://$domain/$1 [R=301,L]
</VirtualHost>
</Macro>
Header unset Strict-Transport-Security
Header set Strict-Transport-Security "max-age=864000"
# Make sure we load everything via HTTPS
- Header set Content-Security-Policy "upgrade-insecure-requests"
+ Header add Content-Security-Policy "upgrade-insecure-requests"
#########################################################
# SSL configuration below ###############################
SSLCipherSuite 'kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:AESGCM:ALL:!3DES:!EXPORT:!LOW:!MEDIUM:!aNULL:!eNULL'
SSLHonorCipherOrder on
- # Certificate, DH parameters and key
- SSLCertificateFile /etc/ssl/mycerts/$cert.crt+dh
+ # DH parameters
+ SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh2048.pem"
+
+ # Certificate and key
+ SSLCertificateFile /etc/ssl/mycerts/$cert.crt
SSLCertificateKeyFile /etc/ssl/private/$cert.key
# Server Certificate Chain:
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
- SSLCertificateChainFile /etc/ssl/mycerts/$cert.chain
+ SSLCertificateChainFile /etc/ssl/mycerts/$cert.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
projects / ansible.git / blobdiff