FreedomBox/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf

<Macro FreedomBoxTLSSiteMacro $domain>

    # mod_ssl default options. See /etc/apache2/sites-available/default-ssl.conf
    <IfModule mod_ssl.c>
        <VirtualHost _default_:443>
            ServerAdmin webmaster@localhost
            ServerName $domain
            DocumentRoot /var/www/html

            SSLEngine on

            # Disable TLS1.1 and below. Client support: Firefox: 27, Android:
            # 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7), Java: 8u31, OpenSSL:
            # 1.0.1, Opera: 20, Safari: 9. See:
            # https://wiki.mozilla.org/Security/Server_Side_TLS
            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

            # Automatically obtained certificates from Let's Encrypt
            SSLCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/$domain/privkey.pem

            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
            </Directory>
        </VirtualHost>
    </IfModule>
</Macro>