The latest SSL Labs' scan is from 2020-10-14. The previous scan was from 2019-12-31, when I just added TLSv1.3 2018, and the one before that from 2018. I first used SSL Labs' scan in 2016. A fresh scan can be started by clicking here.

The key TLS configuration I use in the https virtual host is (for Apache 2.4):

...
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLOpenSSLConfCmd DHParameters "etc/apache24/dh4096.pem"
SSLOpenSSLConfCmd ECDHParameters Automatic

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLCompression off
SSLHonorCipherOrder on
SSLSessionTickets off

SSLSessionCache shmcb:/var/run/httpd_ssl_scache(512000)
SSLSessionCacheTimeout 300

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/httpd_oscp(128000)

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
...

When I upgrade to next Apache httpd, I'll see if I can make use of Certificate Transparency. In httpd 2.5 the directive is CTStaticLogConfig.