ServerTokens Prod
<IfModule mod_ssl.c>
<VirtualHost irclogs.gnunet.org:443>
	ServerAdmin address@hidden
 	ServerName "irclogs.gnunet.org"	
	ServerSignature Off
	KeepAlive On
	KeepAliveTimeout 30
	MaxKeepAliveRequests 1000
	ExpiresActive On
	ExpiresDefault "access plus 5 minutes"
	ExpiresByType image/gif "access plus 1 year"
	ExpiresByType image/jpeg "access plus 1 year"
	ExpiresByType image/png "access plus 1 year"
	ExpiresByType application/javascript "access plus 1 week"
	ExpiresByType text/css "access plus 1 week"
	ExpiresByType image/x-icon "access plus 1 year"
	ExpiresByType text/html "access plus 1 minute"
	Header unset Cache-Control
	Header unset ETag
	FileETag None
        ErrorLog /var/log/apache2/gnunet-irclogs-ssl_error.log
        LogLevel debug
        CustomLog /var/log/apache2/gnunet-irclogs-ssl_access.log combined
 
        ProxyPass / uwsgi://127.0.0.1:7000/
	#   Enable/Disable SSL for this virtual host.
	SSLEngine on
	SSLCompression off
	SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
	SSLHonorCipherOrder On
	Header add Strict-Transport-Security "max-age=15768000 ; includeSubDomains; preload"
	Header add X-XSS-Protection "1; mode=block"
	Header add X-Frame-Options "SAMEORIGIN"
	Header add X-Content-Type-Options "nosniff"
	Header add Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://irclogs.gnunet.org; frame-ancestors 'self'"
        SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL

	SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#:!EDH
	SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"

#	SSLCertificateKeyFile    /etc/ssl/private/gnunet.org.key
	SSLCertificateKeyFile /etc/letsencrypt/live/v10.gnunet.org/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/v10.gnunet.org/fullchain.pem
	SSLCertificateFile /etc/letsencrypt/live/v10.gnunet.org/cert.pem

#	SSLCertificateFile /etc/ssl/certs/gnunet.org.cert
#	SSLCertificateChainFile /etc/ssl/private/cachain.csr
	SSLOptions +StrictRequire

	BrowserMatch ".*MSIE.*" \
		nokeepalive ssl-unclean-shutdown \
		downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>