diff --git a/config/apache/standardebooks.org.conf b/config/apache/standardebooks.org.conf
index 9b998107..34440d8c 100644
--- a/config/apache/standardebooks.org.conf
+++ b/config/apache/standardebooks.org.conf
@@ -36,17 +36,12 @@ FileETag All
RequestHeader edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\""
Header edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\""
-# SSL hardening; see .
-SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-SSLHonorCipherOrder on
-SSLCompression off
+# SSL hardening; see .
+SSLProtocol -all +TLSv1.2 +TLSv1.3
+SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+SSLHonorCipherOrder off
SSLSessionTickets off
-SSLStaplingCache shmcb:/var/run/ocsp(128000)
-# SSL Stapling should be off for testing to prevent errors in log files, and on for live.
-SSLUseStapling on
-SSLStaplingResponderTimeout 5
-SSLStaplingReturnResponderErrors off
Define domain standardebooks.org
Define web_root /standardebooks.org/web
@@ -129,7 +124,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
- # PHP-FPM configuration
+ # PHP-FPM configuration.
# See .
# Required for FPM to receive POST data sent with `Transfer-Encoding: chunked`.
@@ -158,7 +153,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
# In `RewriteCond`, `RewriteRule` gets evaluated *before `RewriteCond`, so `$1` refers to the first match in `RewriteRule`.
# Rewrite POST `/some/url` -> POST `/some/url/post.php`.
- RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
+ RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
RewriteCond %{DOCUMENT_ROOT}/$1/%1.php -f
RewriteRule ^([^\.]+)$ $1/%1.php [L]
@@ -178,7 +173,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f
RewriteRule ^(.+)$ $1.php [QSA]
- # End PHP-FPM configuration
+ # End PHP-FPM configuration.
# Received: `/filename` and `/filename.xml` exists in filesystem -> rewrite to `/filename.xml` and continue request.
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f
diff --git a/config/apache/standardebooks.test.conf b/config/apache/standardebooks.test.conf
index 04c1bc0f..f3113730 100644
--- a/config/apache/standardebooks.test.conf
+++ b/config/apache/standardebooks.test.conf
@@ -36,17 +36,12 @@ FileETag All
RequestHeader edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\""
Header edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\""
-# SSL hardening; see https://mozilla.github.io/server-side-tls/ssl-config-generator/
-SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-SSLHonorCipherOrder on
-SSLCompression off
+# SSL hardening; see .
+SSLProtocol -all +TLSv1.2 +TLSv1.3
+SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+SSLHonorCipherOrder off
SSLSessionTickets off
-SSLStaplingCache shmcb:/var/run/ocsp(128000)
-# SSL Stapling should be off for testing to prevent errors in log files, and on for live.
-SSLUseStapling on
-SSLStaplingResponderTimeout 5
-SSLStaplingReturnResponderErrors off
Define domain standardebooks.test
Define web_root /standardebooks.org/web
@@ -111,7 +106,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
- # PHP-FPM configuration
+ # PHP-FPM configuration.
# See .
# Required for FPM to receive POST data sent with `Transfer-Encoding: chunked`.
@@ -140,7 +135,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
# In `RewriteCond`, `RewriteRule` gets evaluated *before `RewriteCond`, so `$1` refers to the first match in `RewriteRule`.
# Rewrite POST `/some/url` -> POST `/some/url/post.php`.
- RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
+ RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
RewriteCond %{DOCUMENT_ROOT}/$1/%1.php -f
RewriteRule ^([^\.]+)$ $1/%1.php [L]
@@ -160,7 +155,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f
RewriteRule ^(.+)$ $1.php [QSA]
- # End PHP-FPM configuration
+ # End PHP-FPM configuration.
# Received: `/filename` and `/filename.xml` exists in filesystem -> rewrite to `/filename.xml` and continue request.
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f