HSTS can be configure in /etc/apache2/apache.conf for all vhost or need to be conf for all vhost conf:
exemple for a vhost with https + http1.2 + strong cypher + HSTS
<VirtualHost *:443> https ports
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html html root location
Protocols h2 http/1.1 http1.2 protocol called throught h2 because https enable. if no https then h2c
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/xxxxxxxxxxx/fullchain.pem # localisation of my sslcerts
SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxxxxxx/privkey.pem # localisation of my sslcerts
Include /etc/letsencrypt/options-ssl-apache.conf # more option see below after --conf+
ServerName xxxxxxxxxxxxx
HSTS setting for nextcloud SEE WARNINGS BELOW AFTER EOF
Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains”
modern configuration, tweak to your need STRONG CYPHERS ONLY SEE WARNINGS TWO
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
#SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDS$
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
vim: syntax=apache ts=4 sw=4 sts=4 sr noet
------------conf±---------------- i have commented several ligne because some options are applied server wide and not only on vhost
Baseline setting to Include for SSL sites
SSLEngine on
Intermediate configuration, tweak to your needs
/#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AE$
#SSLHonorCipherOrder on
#SLCompression off
#SSLOptions +StrictRequire
#Add vhost name to log entries:
LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common
#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log
#Always ensure Cookies have “Secure” set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s*;)?(.*)) “$1; Secure$3$4”
#EOF
WARNINGS:
1- vUsing strong cyphers will prohibit laccess to your server for “old” browser and maybe for some hardware.
For exemple, hardware incapable of dealing with keys => 128 bits will failed to access the server !!!
2- This does add extra security - particularly against cookie attacks, but it does depend on your whole domain only ever being server via HTTPS, so here is where you need to be a little more careful as this is potentially quite dangerous. It depends on all subdomains being on HTTPS. While this may seem obvious, this has large consequences if you set it at your top level domain (e.g. tunetheweb.com rather than www.tunetheweb.com) and websites have got it wrong in the past and, with a long expiry, than can spell disaster for your website if an incorrect policy gets loaded in many people’s browsers.Always use a lower value like 3600 (1h) for testing.
depending of your server conf, you may have multiples apache and php conf … each of them using or not a .htaccess file who might need tweaking too…