A correct VirtualHost without trial and error
Hand-writing an Apache VirtualHost means remembering the right directives, a matching Directory block, the correct SSL lines, and a redirect that actually works. This builder generates the whole .conf from a short form — HTTP or HTTPS, with optional port-80 redirect, HSTS, and per-host log paths baked in.
How it works
For an HTTPS site the builder binds the main block to port 443, adds SSLEngine on with your SSLCertificateFile and SSLCertificateKeyFile, and restricts SSLProtocol to TLS 1.2 and 1.3. It pairs that with a Directory block setting sane defaults — directory listings off, symlinks followed, and Require all granted. When you enable the redirect, a second port-80 VirtualHost uses mod_rewrite to issue a permanent redirect to the https scheme. Optional HSTS adds a Strict-Transport-Security header. Error and access logs are written to per-host filenames derived from your domain so you can tail them independently.
Example output for an HTTPS site
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
RewriteEngine On
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLProtocol -All +TLSv1.2 +TLSv1.3
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
<Directory /var/www/example.com>
Options -Indexes +FollowSymLinks
AllowOverride FileInfo
Require all granted
</Directory>
ErrorLog /var/log/apache2/example.com-error.log
CustomLog /var/log/apache2/example.com-access.log combined
</VirtualHost>
Deployment steps
- Copy the generated
.confinto/etc/apache2/sites-available/example.com.conf(Debian/Ubuntu) or/etc/httpd/conf.d/example.com.conf(RHEL/CentOS). - On Debian-family systems, enable the site:
a2ensite example.com.conf. - Validate:
apachectl configtest— fix any reported errors before continuing. - Reload without dropping connections:
apachectl graceful. - Check that HTTP redirects to HTTPS with:
curl -I http://example.com.
Tips
- Apache uses separate certificate and key files, unlike HAProxy which wants one combined PEM — this builder keeps them separate and matches the Let’s Encrypt file layout.
Options -Indexesprevents Apache from serving a directory listing when an index file is missing — always include it.- If TLS terminates at a load balancer upstream, generate the HTTP variant instead and configure your app to trust the
X-Forwarded-Protoheader to know the original scheme. - For PHP or framework apps that use
.htaccessrouting (Laravel, WordPress), setAllowOverride Allin theDirectoryblock so rewrite rules in.htaccessare honoured.