Listen 443

#   https://ciphersuite.info/cs/?sort=sec-desc&security=recommended&tls=tls12&singlepage=true
SSLCipherSuite DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384:TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CCM:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:DHE-PSK-AES128-CCM8:DHE-PSK-AES256-CCM8:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384

SSLProxyCipherSuite DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384:TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CCM:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:DHE-PSK-AES128-CCM8:DHE-PSK-AES256-CCM8:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384

SSLHonorCipherOrder on 
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300


############
# jellyfin #
############

<VirtualHost *:443>
    ServerName jellyfin.domain.tld
    DocumentRoot "${SRVROOT}/htdocs/jellyfin"
    ErrorLog "${SRVROOT}/logs/jellyfin_error.log"
    CustomLog "${SRVROOT}/logs/jellyfin_access.log" combined

    ProxyPreserveHost On
    ProxyPass "/.well-known/" "!"
    
    # Tell Jellyfin to forward that requests came from TLS connections
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    ProxyPass "/socket" "ws://localhost:8096/socket"
    ProxyPassReverse "/socket" "ws://localhost:8096/socket"

    ProxyPass "/" "http://localhost:8096/"
    ProxyPassReverse "/" "http://localhost:8096/"

    SSLEngine on
    SSLCertificateFile "${SRVROOT}/conf/ssl.crt/server.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl.key/server.key"
    SSLCACertificateFile "${SRVROOT}/conf/ssl.crt/ca-bundle.crt"
    Protocols h2 http/1.1

    # Enable only strong encryption ciphers and prefer versions with Forward Secrecy
#    SSLCipherSuite HIGH:RC4-SHA:AES128-SHA:!aNULL:!MD5
#    SSLHonorCipherOrder on

#    # Disable insecure SSL and TLS versions
#    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>