Update domain.conf

Updated certificate instructions

Signed-off-by: Max Barrett <maximilliangroup@gmail.com>

domain.conf

@@ -36,8 +36,8 @@ LimitRequestBody 10240000
 # ----------------------------------
 <VirtualHost *:80>
 
-    ServerName sparxstar.com  # Your primary domain – VERY IMPORTANT!
-    ServerAlias www.sparxstar.com
+    ServerName domain.com  # Your primary domain – VERY IMPORTANT!
+    ServerAlias www.domain.com *.domain.com
 
     # [HTTPS REWRITE] - PERMANENT redirect to HTTPS
     <IfModule mod_rewrite.c>
@@ -49,6 +49,7 @@ LimitRequestBody 10240000
 
 # SSL Stapling Configuration (improves SSL/TLS handshake performance)
 # Must be outside <VirtualHost>
+# Use only with OPTION 1
 <IfModule mod_ssl.c>
   SSLStaplingCache "shmcb:/var/log/apache2/ssl_stapling(32768)"  # Using shared memory cache
 </IfModule>
@@ -73,104 +74,67 @@ LimitRequestBody 10240000
 
         SSLEngine on  # Enables SSL/TLS for this virtual host
 
-        # --- CHOOSE ONE CERTIFICATE TYPE ---
+         # ----------------------------------
+         # [SSL CERTIFICATE] - 
+         # CHOOSE ONE OPTION
+         # ----------------------------------
+
+          # --- OPTION 1
           # Let's Encrypt Certificates:
+          SSLRequireSSL
           SSLCertificateFile /etc/letsencrypt/live/sparxstar.com/fullchain.pem
           SSLCertificateKeyFile /etc/letsencrypt/live/sparxstar.com/privkey.pem
           SSLCertificateChainFile /etc/letsencrypt/live/sparxstar.com/chain.pem
 
-        # OR
+                    # ----------------------------------
+                    # [CIPHER] - Strong Cipher Suite and Cipher Order (important for security)
+                    # CHOOSE ONE SENARIO
+                    # ----------------------------------
+
+                      # SENARIO 1 --- Disables weak ciphers ---
+                      SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 
+
+                    #OR 
+
+                      # SENARIO 2 --- Mozilla Modern --- (Adjust if needed for compatibility).
+                      SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+                      SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1  # Disable older, insecure protocols
+
+                    # BOTH OPTION REQUIRE
+                    SSLHonorCipherOrder on   # Enforce server's cipher preference
+                    SSLUseStapling on   # Enable OCSP Stapling (for faster SSL handshakes)
+
+       # OR --- OPTION 2
           # Cloudflare Origin Certificates:
           # SSLCertificateFile /etc/ssl/certs/cloudflare-origin.pem #Path to your certificate file
           # SSLCertificateKeyFile /etc/ssl/certs/cloudflare-origin.key # Path to your private key file
           # SSLCertificateChainFile /etc/ssl/certs/cloudflare-ecc-chain.pem  # Path to the chain file, if applicable
           # Cloudflare Origin Chain File at 
           # https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate
 
-        # ----------------------------------
-        # [CIPHER] - Strong Cipher Suite and Cipher Order (important for security)
-        # uncomment one option
-        # ----------------------------------
-
-          # OPTION 1 --- Disables weak ciphers ---
-          SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 
-
-        #OR 
-
-          # OPTION 2 --- Mozilla Modern --- (Adjust if needed for compatibility).
-          SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-          SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1  # Disable older, insecure protocols
-
-        # BOTH OPTION REQUIRE
-        SSLHonorCipherOrder on   # Enforce server's cipher preference
-        SSLUseStapling on   # Enable OCSP Stapling (for faster SSL handshakes)
-
     </IfModule>
-    
+</VirtualHost>
 # ----------------------------------
-# [ HEADERS ] - VirtualHost (Port 443): Main configuration
+# [ HEADERS ] 
 # ----------------------------------
-    <IfModule mod_headers.c>
-
-        # [HSTS] --- HSTS (HTTP Strict Transport Security) ---
-        # Reinforce HTTPS ONLY - comment out if allowing HTTP connections (NOT RECOMMENDED)
-        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+<IfModule mod_headers.c>
 
         # Remove server version info - important for security
         Header unset Server 
-
+    
         # [SECURITY] --- Important Security Headers ---
-        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"  # Enforces HTTPS
+
         Header always set X-Frame-Options "DENY"  # Prevents clickjacking
         Header always set X-Content-Type-Options "nosniff" # Prevents MIME-sniffing attacks
-        Header always set Referrer-Policy "strict-origin-when-cross-origin"  # Controls referrer information
-
-        # [CSP] ---  Content Security Policy (CSP) –-- **CUSTOMIZE THIS VERY CAREFULLY** (see notes readme.md)
-        #Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' *.sparxstar.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: *.sparxstar.com; font-src 'self' data:; connect-src 'self'; object-src 'none'; frame-ancestors 'none';"  # Customize!
-
-        # [CORS]  ---  CORS related headers ---
-        Header set Referrer-Policy "no-referrer, strict-origin-when-cross-origin"  # Good to have this here
-        Header always set Expect-CT "enforce, max-age=0"  # Good to have this as well
 
-    <IfModule>
+<IfModule>
 
-    # ----------------------------------
-    # [DIRECTORY] –-- For Root Directory configuration --- ADJUST IF NEEDED
-    # Add separate <Directory> blocks for each application with its own AllowOverride settings)
-    # ----------------------------------
-    <Directory /var/www/html>  
 
-        # Allows .htaccess overrides for these types ONLY – ADJUST IF NEEDED
-         AllowOverride All  # Or be more restrictive: AllowOverride FileInfo AuthConfig Limit
-
-        # Allows access to all. Change if you need more specific access controls.
-        Require all granted 
-
-        #Browser caching of static assets
-        <IfModule mod_expires.c> 
-
-            ExpiresActive On
-            ExpiresByType image/jpg "access 1 year"
-            # ... other ExpiresByType directives ...
-            ExpiresDefault "access 2 days" # Default caching time
-
-        </IfModule>
-
-          # [FILESMATCH] --- File Access Restrictions --- (can  be in .htaccess here)
-          <FilesMatch "\.((md|exe|sh|bak|inc|pot|po|mo|log|sql|htaccess|htpasswd|ini|phps|fla|psd|log|sh|env|
-                          settings\.php|security\.php
-                          wp-config\.php|config\.php|db\.php|db-config\.php|debug\.log|install\.php|license\.txt|readme\.txt|
-                          wp-content/uploads/|\.git|upload\.php|options\.php|themes|plugins|backup|
-                          \.(php[3-7]?|phtml|sql|bak|sqlite|yml|conf|conf\.php|ini|tpl|tmp|log|
-                          |key|pem|p12|crt|)$">
-              Require all denied
-          </FilesMatch>
-
-      # ----------------------------------
-      # [MIME] --- File Type Settings
-      # https://www.iana.org/assignments/media-types/media-types.xhtml
-      # ----------------------------------
-      IfModule mod_mime.c>
+  # ----------------------------------
+  # [MIME] --- File Type Settings
+  # https://www.iana.org/assignments/media-types/media-types.xhtml
+  # ----------------------------------
+  <IfModule mod_mime.c>
 
         # --- Data interchange
           AddType text/plain                    txt
@@ -304,34 +268,7 @@ LimitRequestBody 10240000
 
           # [CHARSET] --- Default Charset
           AddDefaultCharset utf-8
-          AddCharset utf-8  
-                            .appcache \
-                            .atom \
-                            .bbaw \
-                            .css \
-                            .htc \
-                            .html \
-                            .ics \
-                            .js \
-                            .json \
-                            .manifest \
-                            .map \
-                            .markdown \
-                            .md \
-                            .mjs \
-                            .rss \
-                            .topojson \
-                            .txt \
-                            .vtt \
-                            .vcard \
-                            .vcf \
-                            .webmanifest \
-                            .xhtml \
-                            .xloc \
-                            .xlst \
-                            .xml \
-      </IfModule>
-
-    </Directory>
-
-</VirtualHost>
+         # [CHARSET] --- Default Charset
+          AddDefaultCharset utf-8
+          AddCharset utf-8 .appcache .atom .bbaw .css .htc .html .ics .js .json .manifest .map .markdown .md .m>
+   </IfModule>