Listen 443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(1024000) SSLSessionCacheTimeout 3600 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin SSLStrictSNIVHostCheck off SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256 \ ECDHE-ECDSA-AES256-GCM-SHA384 \ ECDHE-ECDSA-AES128-SHA \ ECDHE-ECDSA-AES256-SHA \ ECDHE-ECDSA-AES128-SHA256 \ ECDHE-ECDSA-AES256-SHA384 \ ECDHE-RSA-AES128-GCM-SHA256 \ ECDHE-RSA-AES256-GCM-SHA384 \ ECDHE-RSA-AES128-SHA \ ECDHE-RSA-AES256-SHA \ ECDHE-RSA-AES128-SHA256 \ ECDHE-RSA-AES256-SHA384 \ DHE-RSA-AES128-GCM-SHA256 \ DHE-RSA-AES256-GCM-SHA384 \ DHE-RSA-AES128-SHA \ DHE-RSA-AES256-SHA \ DHE-RSA-AES128-SHA256 \ DHE-RSA-AES256-SHA256 \ EDH-RSA-DES-CBC3-SHA" SSLHonorCipherOrder on SSLCompression off SSLUseStapling On SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/run/httpd/stapling_cache(128000) ServerName www.example.com DocumentRoot "/var/www/html" Protocols h2 http/1.1 Options FollowSymLinks AllowOverride None Require all granted SSLEngine on Header always set Strict-Transport-Security "max-age=31536000" SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server.key # SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt SetEnvIf Request_URI "\.(gif|jpg|png|css|js)$" nolog ErrorLog logs/error_log CustomLog logs/access_log combined env=!nolog