Which configs should I add into the apache2 vhost :433

Hi,
I have been reading about the various security configs that can be included in the apache2 .conf files

I have commented out duplicates from the ssl.conf file

This is what I have for good-health.ml


<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName refugee-support.org
    ServerAlias www.refugee-support.org

    Redirect / https://refugee-support.org/

    ErrorLog /var/log/apache2/refugee-support/error.log
    CustomLog /var/log/apache2/refugee-support/access.log combined
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin [email protected]
    ServerName refugee-support.org
    ServerAlias www.refugee-support.org
    DocumentRoot /var/www/refugee-support.org

    <Directory /var/www/refugee-support.org>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog /var/log/apache2/refugee-support/error.log
    CustomLog /var/log/apache2/refugee-support/access.log combined

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
    SSLCertificateFile /etc/mycerts/refugee-support.org/cf_origin_cert.pem
    SSLCertificateKeyFile /etc/mycerts/refugee-support.org/cf_private_key.pem
</VirtualHost>

Should I add …

SSLHonorCipherOrder     off
SSLSessionTickets       off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

and what about these two …

Header always set Strict-Transport-Security "max-age=31536000"
Header always set Content-Security-Policy upgrade-insecure-requestscd

( not sure if they work with Cloudflare or are suitable )
The age is only one year whereas the Origin Cert is 15 years

  • maybe that is a contradiction/restriction I don’t want?

Thanks

And should the protocol be changed to …

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

?