srv-stage/files/webmail/https-webmail.conf

# Default configuration
<VirtualHost _default_:443>
ServerName webmail.stage-ge.org
ServerAlias webmail
DocumentRoot /usr/share/webmail
<Directory /usr/share/webmail>
  AllowOverride None
  Require all granted
</Directory>
ErrorLog /var/log/httpd/webmail-error.log
CustomLog /var/log/httpd/webmail-access.log combined

## SSL

SSLEngine on
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
# Enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"

BrowserMatch "MSIE [2-5]" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLCertificateFile "/etc/pki/stage-ge/stage-ge.org.crt"
SSLCertificateKeyFile "/etc/pki/stage-ge/stage-ge.org.key"
SSLCertificateChainFile "/etc/pki/stage-ge/stageCA.crt"
</VirtualHost>