adactio · December 13, 2016 13:48
diff --git a/yourdomain.com.conf b/yourdomain.com.conf
 <VirtualHost *:80>
        ServerAdmin [email protected]
        ServerName yourdomain.com
        ServerAlias www.yourdomain.com
        DocumentRoot /path/to/yourdomain
        Redirect / https://yourdomain.com/
 </VirtualHost>

 <VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName yourdomain.com
        ServerAlias www.yourdomain.com
        DocumentRoot /path/to/yourdomain/
        <Directory /path/to/yourdomain/>
                AllowOverride All
                Require all granted
                <IfModule mod_headers.c>
                        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
                </IfModule>
        </Directory>

        SSLEngine on
        SSLCertificateFile      /etc/letsencrypt/live/yourdomain.com/cert.pem
        SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/yourdomain.com/privkey.pem
        SSLCACertificateFile    /etc/letsencrypt/live/yourdomain.com/fullchain.pem
        SSLProtocol     all
        SSLCipherSuite  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

        SSLHonorCipherOrder     on
        SSLCompression  off
        SSLUseStapling  on
 </VirtualHost>

 SSLStaplingResponderTimeout     5
 SSLStaplingReturnResponderErrors        off
 SSLStaplingCache        shmcb:/var/run/ocsp(128000)
	<VirtualHost *:80>
	ServerAdmin [email protected]
	ServerName yourdomain.com
	ServerAlias www.yourdomain.com
	DocumentRoot /path/to/yourdomain
	Redirect / https://yourdomain.com/
	</VirtualHost>

	<VirtualHost *:443>
	ServerAdmin [email protected]
	ServerName yourdomain.com
	ServerAlias www.yourdomain.com
	DocumentRoot /path/to/yourdomain/
	<Directory /path/to/yourdomain/>
	AllowOverride All
	Require all granted
	<IfModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
	</IfModule>
	</Directory>

	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
	SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
	SSLCACertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
	SSLProtocol all
	SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

	SSLHonorCipherOrder on
	SSLCompression off
	SSLUseStapling on
	</VirtualHost>

	SSLStaplingResponderTimeout 5
	SSLStaplingReturnResponderErrors off
	SSLStaplingCache shmcb:/var/run/ocsp(128000)