diff --git a/roles/copr/dist_git/tasks/main.yml b/roles/copr/dist_git/tasks/main.yml
index aa6afb5aa2..e32ad26fbc 100644
--- a/roles/copr/dist_git/tasks/main.yml
+++ b/roles/copr/dist_git/tasks/main.yml
@@ -66,6 +66,11 @@
include_role: name=certbot
when: env == 'staging'
+- template: src="ssl.conf.j2" dest="/etc/httpd/conf.d/ssl.conf" owner=root group=root mode=0644
+ when: env == 'staging'
+ notify:
+ - reload httpd
+
- name: temporary logrotation fix until copr-dist-git 0.26 is released & deployed
copy: src="logrotate.d/copr-dist-git" dest="/etc/logrotate.d/copr-dist-git"
diff --git a/roles/copr/dist_git/templates/ssl.conf.j2 b/roles/copr/dist_git/templates/ssl.conf.j2
new file mode 100644
index 0000000000..849d0540dc
--- /dev/null
+++ b/roles/copr/dist_git/templates/ssl.conf.j2
@@ -0,0 +1,44 @@
+
+ RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
+
+
+Listen 443 https
+
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+SSLSessionCache shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout 300
+SSLRandomSeed startup file:/dev/urandom 256
+SSLRandomSeed connect builtin
+SSLCryptoDevice builtin
+
+
+ SSLCertificateFile /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+
+ ErrorLog logs/ssl_error_log
+ TransferLog logs/ssl_access_log
+ LogLevel warn
+
+ SSLEngine on
+
+ SSLProtocol all -SSLv3
+ SSLProxyProtocol all -SSLv3
+ SSLHonorCipherOrder on
+ SSLCipherSuite PROFILE=SYSTEM
+ SSLProxyCipherSuite PROFILE=SYSTEM
+
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+ CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+