Where do I put the generated VirtualHost file?

On Debian and Ubuntu, save it under /etc/apache2/sites-available and enable it with a2ensite, then reload Apache. On RHEL-family systems, drop it in /etc/httpd/conf.d and restart httpd.

How does the HTTP to HTTPS redirect work?

The builder can emit a second VirtualHost on port 80 that uses mod_rewrite to send every request to the https scheme with a permanent redirect. This keeps plain-HTTP visitors on the encrypted site.

What is the Strict-Transport-Security header for?

HSTS instructs browsers to use HTTPS for your domain for a set period, preventing downgrade and cookie-stripping attacks. The builder adds it with a two-year max-age and includeSubDomains when you enable it.

Why does the config disable older TLS versions?

The SSLProtocol line restricts the server to TLS 1.2 and 1.3, dropping obsolete SSL and early TLS that are vulnerable to known attacks. Modern browsers all support 1.2 or 1.3, so nothing legitimate is lost.

Do I need AllowOverride All?

Only if your app relies on per-directory .htaccess files, as many PHP frameworks do for routing. If you control the main config and do not use .htaccess, set it to None for a small performance and security gain.

Apache VirtualHost Config Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

A correct VirtualHost without trial and error

Hand-writing an Apache VirtualHost means remembering the right directives, a matching Directory block, the correct SSL lines, and a redirect that actually works. This builder generates the whole .conf from a short form — HTTP or HTTPS, with optional port-80 redirect, HSTS, and per-host log paths baked in.

How it works

For an HTTPS site the builder binds the main block to port 443, adds SSLEngine on with your SSLCertificateFile and SSLCertificateKeyFile, and restricts SSLProtocol to TLS 1.2 and 1.3. It pairs that with a Directory block setting sane defaults — directory listings off, symlinks followed, and Require all granted. When you enable the redirect, a second port-80 VirtualHost uses mod_rewrite to issue a permanent redirect to the https scheme. Optional HSTS adds a Strict-Transport-Security header. Error and access logs are written to per-host filenames derived from your domain so you can tail them independently.

Tips and example

Combined PEM vs separate files: Apache uses separate certificate and key files, unlike HAProxy which wants one combined PEM — this builder keeps them separate.
After enabling a new site, run apachectl configtest before reloading to catch typos in paths.
Keep Options -Indexes to stop Apache exposing a directory listing when an index file is missing.
If you terminate TLS at a load balancer instead, generate the HTTP variant and trust the X-Forwarded-Proto header in your app.