nycki.net/site.conf

# https://palmure.fr/blog.html#default-https-but-only-for-recent-browsers

#<VirtualHost *:80>
#  <Location />
#    Require all denied
#  </Location>
#</VirtualHost>

#<VirtualHost *:443>
#  SSLEngine on
#  Include /etc/letsencrypt/options-ssl-apache.conf
#  SSLCertificateFile /etc/letsencrypt/live/klay.gay/fullchain.pem
#  SSLCertificateKeyFile /etc/letsencrypt/live/klay.gay/privkey.pem
#  <Location />
#    Require all denied
#  </Location>
#</VirtualHost>

<VirtualHost *:80 *:443>
  ServerName nycki.net
  SSLEngine on
  Include /etc/letsencrypt/options-ssl-apache.conf

  Header always add Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload;"
  <If "%{HTTPS} == 'off'">
    <If "%{HTTP:Upgrade-Insecure-Requests} == 1">
      Header always add Vary: Upgrade-Insecure-Requests
      Redirect / https://nycki.net 
    </If>
  </If>

      DocumentRoot /data/nycki.net/site
ErrorDocument 404 404.html

  <Directory />
    Options FollowSymLinks MultiViews
    Require all granted
  </Directory>
  SSLCertificateFile /etc/letsencrypt/live/klay.gay/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/klay.gay/privkey.pem
</VirtualHost>

<VirtualHost *:443>
  ServerName rss.nycki.net
  SSLEngine on
  Include /etc/letsencrypt/options-ssl-apache.conf
  <Location />
    ProxyPass http://localhost:8400/
  </Location>
    SSLCertificateFile /etc/letsencrypt/live/klay.gay/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/klay.gay/privkey.pem
</VirtualHost>

<VirtualHost *:443>
  ServerName git.nycki.net
  SSLEngine on
  Include /etc/letsencrypt/options-ssl-apache.conf

  # https://stackoverflow.com/a/9933890/3821202
  AllowEncodedSlashes NoDecode
  <Location />
    ProxyPass http://localhost:8500/ nocanon
  </Location>
    SSLCertificateFile /etc/letsencrypt/live/klay.gay/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/klay.gay/privkey.pem
</VirtualHost>