# vHost file for Apache2

# security - prevent information disclosure about server version
ServerTokens Prod

<VirtualHost *:80>
  ServerName FQDN
  Redirect permanent / https://FQDN
</VirtualHost>

<VirtualHost *:443>
  SSLEngine on
  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
  SSLHonorCipherOrder     off
  SSLSessionTickets       off

  SSLCertificateFile /etc/ssl/certs/FQDN.pem;
  SSLCertificateKeyFile /etc/ssl/private/FQDN.pem;
  # only if applicable
  # SSLCertificateChainFile /etc/ssl/certs/cert-bundle.pem;
  SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem

  ServerName FQDN

  HostnameLookups Off
  UseCanonicalName Off
  ServerSignature Off

  ProxyRequests Off
  ProxyPreserveHost On

  <Proxy 127.0.0.1:3001>
    Require local
  </Proxy>

  ProxyPass / http://127.0.0.1:3001/

  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>
</VirtualHost>