ServerName your-domain.com ServerAlias www.your-domain.com ServerAdmin webmaster@your-domain.com DocumentRoot /var/www/your-app/public Options -Indexes +FollowSymLinks AllowOverride All Require all granted # PHP-FPM configuration SetHandler "proxy:unix:/var/run/php/php8.3-fpm.sock|fcgi://localhost" # Security headers Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" # Disable server signature ServerSignature Off # Logging ErrorLog ${APACHE_LOG_DIR}/your-app-error.log CustomLog ${APACHE_LOG_DIR}/your-app-access.log combined # Compression AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css AddOutputFilterByType DEFLATE application/javascript application/json AddOutputFilterByType DEFLATE application/xml application/xhtml+xml AddOutputFilterByType DEFLATE image/svg+xml # Static file caching ExpiresActive On ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/svg+xml "access plus 1 month" ExpiresByType text/css "access plus 1 month" ExpiresByType application/javascript "access plus 1 month" ExpiresByType font/woff2 "access plus 1 month" ExpiresByType font/woff "access plus 1 month" # SSL Configuration (use with Let's Encrypt / Certbot) ServerName your-domain.com ServerAlias www.your-domain.com ServerAdmin webmaster@your-domain.com DocumentRoot /var/www/your-app/public Options -Indexes +FollowSymLinks AllowOverride All Require all granted # PHP-FPM configuration SetHandler "proxy:unix:/var/run/php/php8.3-fpm.sock|fcgi://localhost" # SSL Configuration (Certbot will fill these in) SSLEngine on SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem # Modern SSL configuration SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off # Security headers Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" ServerSignature Off ErrorLog ${APACHE_LOG_DIR}/your-app-ssl-error.log CustomLog ${APACHE_LOG_DIR}/your-app-ssl-access.log combined # Compression AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css AddOutputFilterByType DEFLATE application/javascript application/json AddOutputFilterByType DEFLATE application/xml application/xhtml+xml AddOutputFilterByType DEFLATE image/svg+xml # Static file caching ExpiresActive On ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/svg+xml "access plus 1 month" ExpiresByType text/css "access plus 1 month" ExpiresByType application/javascript "access plus 1 month" ExpiresByType font/woff2 "access plus 1 month" ExpiresByType font/woff "access plus 1 month"