summaryrefslogtreecommitdiff
path: root/apache2/conf-available/local-ssl.conf
blob: 83acb90e7d748d1e01a6242ec475e5b38fe6d7d2 (plain)
  1. <IfDefine !_TLSHOST>
  2. <IfDefine _HOST>
  3. Define __TLSHOST
  4. Define _TLSHOST ${_HOST}
  5. </IfDefine>
  6. </IfDefine>
  7. <IfDefine !_TLS_KEY>
  8. <IfDefine _TLSHOST>
  9. Define __TLS_CERT_CHAIN
  10. Define __TLS_KEY
  11. Define _TLS_CERT_CHAIN /var/lib/dehydrated/certs/${_TLSHOST}/fullchain.pem
  12. Define _TLS_KEY /var/lib/dehydrated/certs/${_TLSHOST}/privkey.pem
  13. </IfDefine>
  14. </IfDefine>
  15. <IfDefine _TLSHOST>
  16. <If "%{HTTPS} == 'off'">
  17. RedirectMatch permanent ^(?!/.well-known/)(.*) https://${_HOST}/$1
  18. </If>
  19. # enable HSTS
  20. # <http://www.debian-administration.org/articles/662>
  21. <IfDefine !_NO_HSTS>
  22. <IfDefine !_NO_HSTS_SUBDOMAINS>
  23. Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
  24. </IfDefine>
  25. <IfDefine _NO_HSTS_SUBDOMAINS>
  26. Header add Strict-Transport-Security: "max-age=15768000"
  27. </IfDefine>
  28. </IfDefine>
  29. <IfModule mod_gnutls.c>
  30. GnuTLSEnable on
  31. <IfDefine _TLS_KEY>
  32. GnuTLSCertificateFile ${_TLS_CERT_CHAIN}
  33. GnuTLSKeyFile ${_TLS_KEY}
  34. </IfDefine>
  35. <IfDefine _OCSP_RESPONSE>
  36. GnuTLSOCSPStapling on
  37. GnuTLSOCSPResponseFile ${_OCSP_RESPONSE}
  38. </IfDefine>
  39. <IfDefine !_OCSP_RESPONSE>
  40. GnuTLSOCSPStapling off
  41. </IfDefine>
  42. </IfModule>
  43. <IfModule mod_ssl.c>
  44. <IfModule !mod_gnutls.c>
  45. SSLEngine on
  46. <IfDefine _TLS_KEY>
  47. SSLCertificateFile ${_TLS_CERT_CHAIN}
  48. SSLCertificateKeyFile ${_TLS_KEY}
  49. </IfDefine>
  50. <FilesMatch "\.(cgi|shtml|phtml|php)$">
  51. SSLOptions +StdEnvVars
  52. </FilesMatch>
  53. <Directory /usr/lib/cgi-bin>
  54. SSLOptions +StdEnvVars
  55. </Directory>
  56. </IfModule>
  57. </IfModule>
  58. </IfDefine>
  59. <IfDefine __TLSHOST>
  60. Undefine _TLSHOST
  61. Undefine __TLSHOST
  62. </IfDefine>
  63. <IfDefine __TLS_CERT_CHAIN>
  64. Undefine _TLS_CERT_CHAIN
  65. Undefine __TLS_CERT_CHAIN
  66. </IfDefine>
  67. <IfDefine __TLS_KEY>
  68. Undefine _TLS_KEY
  69. Undefine __TLS_KEY
  70. </IfDefine>