01-mdn-samples.conf

<VirtualHost *:80>
    ServerName mdn-samples.mozilla.org
    ServerAlias mdn-samples.us-west-2.mdn.mozit.cloud

    Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
    <Directory "/var/www/html/">
        AllowOverride None
        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
        Require method GET POST OPTIONS
    </Directory>

    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName mdn-samples.mozilla.org
    ServerAlias mdn-samples.us-west-2.mdn.mozit.cloud
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile    /etc/pki/tls/certs/mdn-samples.mozilla.org.crt
    SSLCertificateKeyFile /etc/pki/tls/private/mdn-samples.mozilla.org.key

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    #Header always append X-Frame-Options SAMEORIGIN
    Header always set X-Content-Type-Options nosniff
    Header always set Content-Security-Policy "frame-ancestors 'self' *.mozilla.org *.allizom.org mdn.mozillademos.org yari-demos.prod.mdn.mozit.cloud yari-demos.stage.mdn.mozit.cloud;"
    Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
    Header always set X-Xss-Protection "1; mode=block"
    ServerSignature Off

    <Directory /var/www/html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        RedirectMatch 404 /\.git
        Require all granted
    </Directory>
</VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off


# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)