diff --git a/puppet/templates/puppet-httpd.conf.erb b/puppet/templates/puppet-httpd.conf.erb
index 05a1c48..0697ea2 100644
--- a/puppet/templates/puppet-httpd.conf.erb
+++ b/puppet/templates/puppet-httpd.conf.erb
@@ -4,14 +4,11 @@
 <IfModule !mod_ssl.c>
 LoadModule ssl_module modules/mod_ssl.so
 </IfModule>
-#
+
 # Listen to puppet port also
-#
 Listen 8140
 
-#
 # Proxy balancer settings
-#
 <Proxy balancer://puppetmaster>
 <% puppet_listenports.each do |port| -%>
   BalancerMember http://127.0.0.1:<%= port %> keepalive=on max=2 retry=30
@@ -24,125 +21,44 @@ Listen 8140
 
 <VirtualHost _default_:8140>
 
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog /srv/www/log/https/<%= homename %>/error_log
-CustomLog /srv/www/log/https/<%= homename %>/access_log combined
-LogLevel warn
+  # Use default log path for puppet
+  ErrorLog /srv/www/log/https/<%= homename %>/error_log
+  CustomLog /srv/www/log/https/<%= homename %>/access_log combined
+  LogLevel warn
 
-#   SSL Engine Switch:
-#   Enable/Disable SSL for this virtual host.
-SSLEngine on
+  # SSL settings
+  SSLEngine on
+  SSLProtocol TLSv1
+  SSLCipherSuite DHE-RSA-AES256-SHA
 
-#   SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
+  # Certificates and keys
+  SSLCertificateFile <%= puppet_ssldir %>/certs/<%= homename %>.pem
+  SSLCertificateKeyFile <%= puppet_ssldir %>/private_keys/<%= homename %>.pem
+  SSLCertificateChainFile <%= puppet_ssldir %>/certs/ca.pem
+  SSLCACertificateFile <%= puppet_ssldir %>/certs/ca.pem
+  SSLCARevocationFile <%= puppet_ssldir %>/ca/ca_crl.pem
 
-#   Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate.  If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase.  Note that a kill -HUP will prompt again.  A new
-# certificate can be generated using the genkey(1) command.
-SSLCertificateFile <%= puppet_ssldir %>/certs/<%= homename %>.pem
+  # Client authentication
+  SSLVerifyClient optional
+  SSLVerifyDepth  1
 
-#   Server Private Key:
-#   If the key is not combined with the certificate, use this
-#   directive to point at the key file.  Keep in mind that if
-#   you've both a RSA and a DSA private key you can configure
-#   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile <%= puppet_ssldir %>/private_keys/<%= homename %>.pem
+  # SSL options and headers
+  SSLOptions +StdEnvVars
+  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
+  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
+  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
 
-#   Server Certificate Chain:
-#   Point SSLCertificateChainFile at a file containing the
-#   concatenation of PEM encoded CA certificates which form the
-#   certificate chain for the server certificate. Alternatively
-#   the referenced file can be the same as SSLCertificateFile
-#   when the CA certificates are directly appended to the server
-#   certificate for convinience.
-SSLCertificateChainFile <%= puppet_ssldir %>/certs/ca.pem
-
-#   Certificate Authority (CA):
-#   Set the CA certificate verification path where to find CA
-#   certificates for client authentication or alternatively one
-#   huge file containing all of them (file must be PEM encoded)
-SSLCACertificateFile <%= puppet_ssldir %>/certs/ca.pem
-
-#   Certificate Revocation List:
-#   Point SSLCARevocation file at a file containing the
-#   Certificate Revocation Lists (CRL) of Certification
-#   Authorities (CA) whose clients you deal with. These are used
-#   for client authentication.
-SSLCARevocationFile <%= puppet_ssldir %>/ca/ca_crl.pem
-
-#   Client Authentication (Type):
-#   Client certificate verification type and depth.  Types are
-#   none, optional, require and optional_no_ca.  Depth is a
-#   number which specifies how deeply to verify the certificate
-#   issuer chain before deciding the certificate is not valid.
-SSLVerifyClient optional
-SSLVerifyDepth  1
-
-#   Access Control:
-#   With SSLRequire you can do per-directory access control based
-#   on arbitrary complex boolean expressions containing server
-#   variable checks and other lookup directives.  The syntax is a
-#   mixture between C and Perl.  See the mod_ssl documentation
-#   for more details.
-#<Location />
-#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#</Location>
-
-#   SSL Engine Options:
-#   Set various options for the SSL engine.
-#   o FakeBasicAuth:
-#     Translate the client X.509 into a Basic Authorisation.  This means that
-#     the standard Auth/DBMAuth methods can be used for access control.  The
-#     user name is the `one line' version of the client's X.509 certificate.
-#     Note that no password is obtained from the user. Every entry in the user
-#     file needs this password: `xxj31ZMTZzkVA'.
-#   o ExportCertData:
-#     This exports two additional environment variables: SSL_CLIENT_CERT and
-#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-#     server (always existing) and the client (only existing when client
-#     authentication is used). This can be used to import the certificates
-#     into CGI scripts.
-#   o StdEnvVars:
-#     This exports the standard SSL/TLS related `SSL_*' environment variables.
-#     Per default this exportation is switched off for performance reasons,
-#     because the extraction step is an expensive operation and is usually
-#     useless for serving static content. So one usually enables the
-#     exportation for CGI and SSI requests only.
-#   o StrictRequire:
-#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-#     under a "Satisfy any" situation, i.e. when it applies access is denied
-#     and no other module can change it.
-#   o OptRenegotiate:
-#     This enables optimized SSL connection renegotiation handling when SSL
-#     directives are used in per-directory context.
-SSLOptions +StdEnvVars
-
-# The following client headers allow the same configuration to work with Pound.
-RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
-RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
-RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
-
-<Location />
-  SetHandler balancer-manager
-  Order allow,deny
-  Allow from all
-</Location>
-
-ProxyPass / balancer://puppetmaster:8140/ timeout=180
-ProxyPassReverse / balancer://puppetmaster:8140/
-ProxyPreserveHost on
-SetEnv force-proxy-request-1.0 1
-SetEnv proxy-nokeepalive 1
+  # Proxy settings
+  <Location />
+    SetHandler balancer-manager
+    Order allow,deny
+    Allow from all
+  </Location>
+  ProxyPass / balancer://puppetmaster:8140/ timeout=180
+  ProxyPassReverse / balancer://puppetmaster:8140/
+  ProxyPreserveHost on
+  SetEnv force-proxy-request-1.0 1
+  SetEnv proxy-nokeepalive 1
 
 </VirtualHost>