Configuring the Apache Web Server for a Tilde

Most readers in geminispace will already be familiar with the term "tilde" as synonymous with a shared/multi-user unix environment. I've recently reconfigured my personal server to be more like these traditional systems, because it's a configuration that works well for me. In doing so I went from using nginx to using apache, because it seemed the better choice for the job. Nginx is better optimized for high load and easier to configure as a proxy for application servers, but apache has a lot of advantages for a shared environment:

You'll need to enable the suexec and userdir mods for apache, but after that the configuration is quite straight forward. Here's what mine looks like for the vhost in question:

<VirtualHost *:80>
        ServerName warmedal.se
        ServerAlias www.warmedal.se
        Redirect permanent / https://warmedal.se/
<VirtualHost *:443>
        ServerName warmedal.se
        ServerAlias www.warmedal.se

        SSLEngine On
        SSLCertificateFile /etc/letsencrypt/live/warmedal.se/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/warmedal.se/privkey.pem

        # I have several vhosts all using the same folder for letsencrypt acme challenges
        Alias /.well-known/acme-challenge /home/www-data/acme-challenge/.well-known/acme-challenge

        DocumentRoot /home/www-data/warmedal.se

        # I disallow access to all hidden files and directories
        <Location ~ "\/\..*">
                Deny from All
        <Location ~ "^\/.well-known\/.*">
                Allow from All

        # This part is all it takes to serve files from ~/public_html of any user
        UserDir public_html

        # And this executes all files ending in .cgi instead of serving their contents
        <Directory "/home/*/public_html">
                Options +ExecCGI
                AddHandler cgi-script .cgi

Please tell me if you see any obvious mistakes here. I'm specifically uncertain about the difference between "Deny from All" and "Require all denied".

-- CC0 Björn Wärmedal