ssl.cnf

SSLEngine on

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder     on

SSLCompression          off

SSLOptions +StrictRequire

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

SSLCertificateFile      /etc/httpd/server-cert/_wildcard_xxx.crt
SSLCertificateKeyFile   /etc/httpd/server-cert/_wildcard_xxx_SHA256WITHRSA.key
SSLCertificateChainFile /etc/httpd/server-cert/rsa-dv.chain-bundle.pem
SSLCACertificateFile    /etc/httpd/server-cert/AddTrustExternalCARoot.crt

Header always set Strict-Transport-Security "max-age=86400; includeSubdomains; preload"
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy: "default-src 'self' 'unsafe-inline'"

<VirtualHost *:443>
    ServerName example.kreonet.net
    Use RotateLogs example.kreonet.net
    Include conf.d/ssl-kreonet.cnf
    #...
</VirtualHost>