Warning
These settings will lockout various old browsers/clients!
Preparations
Enable SSL, once
a2enmod ssl
The config
<VirtualHost *:443>
ServerName sub.domain.tld
ServerAdmin admin@sub.domain.tld
DocumentRoot /path/to/root/
<Directory /path/to/root/>
Options FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/sub.domain.tld_error.log
CustomLog ${APACHE_LOG_DIR}/sub.domain.tld_access.log combined
ServerSignature Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
SSLEngine on
SSLHonorCipherOrder on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCompression off
SSLCipherSuite TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA:!RSA:!3DES
SSLCertificateFile /etc/apache2/ssl/sub.domain.tld.crt
SSLCertificateKeyFile /etc/apache2/ssl/sub.domain.tld.key
</VirtualHost>
<VirtualHost *:80>
ServerName sub.domain.tld
Redirect permanent / https://sub.domain.tld/
</VirtualHost>