diff --git a/conf/apache-ssl b/conf/apache-ssl
index ab9627a0..97e0e115 100755
--- a/conf/apache-ssl
+++ b/conf/apache-ssl
@@ -10,7 +10,7 @@ if [[ -f "$CONF" ]]; then
     ssl_protocol="# Hardened TKL default\nSSLProtocol -all +TLSv1.2 +TLSv1.3"
     sed -Ei "\|^SSLProtocol| s|^(.*)|#\1\n$ssl_protocol|" "$CONF"
 
-    cipher_suites=$(cat <<EOF
+    cipher_suites=$(cat <<'EOF' | sed ':a;N;s/\n/\\n/g;ta'
 # Explict Cipher suites recommended by Mozilla
 # https://ssl-config.mozilla.org/#server=apache&version=2.4.65&config=intermediate&openssl=3.5.1&guideline=5.7
 # (updated by TurnKey "common/conf/turnkey.d/zz-ssl-ciphers" script)
@@ -18,6 +18,7 @@ SSLCipherSuite ZZ_SSL_CIPHERS
 EOF
     )
     sed -Ei "\|^SSLCipherSuite| s|^(.*)|#\1\n$cipher_suites|" "$CONF"
+    sed -i "s/ZZ_SSL_CIPHERS/$(cat /tmp/ZZ_SSL_CIPHERS)/g" "$CONF"
     
     cat >> "$CONF" <<EOF
 
diff --git a/conf/bootstrap_apt b/conf/bootstrap_apt
index e68dab98..72ea1d1e 100755
--- a/conf/bootstrap_apt
+++ b/conf/bootstrap_apt
@@ -1,4 +1,4 @@
-#!/bin/bash -e
+#!/bin/bash -ex
 
 # create apt sources
 # environment variables:
@@ -26,9 +26,6 @@
 #       - if not the same as guest, apply relevant transition changes
 #   - NO_TURNKEY_APT_REPO <optional>:
 #       - disable TurnKey apt repos - useful during early transition
-#   - NO_PROXY <optional>:
-#       - same as APT_PROXY_OVERRIDE=disable (will override APT_PROXY_OVERRIDE
-#         if both set to different values)
 
 # Note, to install packages from backports:
 # - set 'BACKPORTS=y'; and either:
@@ -112,13 +109,13 @@ fi
 
 if [[ $deb_ver -le 10 ]] && [[ "$distro" == 'debian' ]]; then
     sec_repo="$CODENAME/updates"
-    PROXY_PORT=8124
+    PROXY_PORT="$(echo "$FAB_HTTPS_PROXY" | sed -En 's/.*:([0-9]+).*/\1/p')"
 elif [[ $deb_ver -ge 11 ]] || [[ "$distro" == 'ubuntu' ]]; then
     sec_repo="$CODENAME-security"
     PROXY_PORT=3128
 fi
 
-if [[ "${APT_PROXY_OVERRIDE,,}" == "disable" ]] || [[ -n "$NO_PROXY" ]]; then
+if [[ "${APT_PROXY_OVERRIDE,,}" == "disable" ]]; then
     PROXY_PORT=
 elif [[ -n $APT_PROXY_OVERRIDE ]]; then
     PROXY_PORT=$APT_PROXY_OVERRIDE
diff --git a/conf/mysql b/conf/mysql
index 6359893e..aaa9626a 100755
--- a/conf/mysql
+++ b/conf/mysql
@@ -1,14 +1,6 @@
 #!/bin/bash -e
 
-# download mysqltuner
-dl() {
-    if [[ "$FAB_HTTP_PROXY" ]]; then
-       PROXY=(--proxy "$FAB_HTTP_PROXY")
-    fi
-    cd "$2"
-    curl -L -f -O "${PROXY[@]}" "$1"
-    cd -
-}
+. /usr/local/src/tkl-bashlib/init.sh
 
 # Install mysqltuner at "latest" tag (via gh_releases) and from core dev's
 # repo[1] - rather than separate "org" repo[2]
@@ -16,9 +8,9 @@ dl() {
 # [1] https://github.com/jmrenouard/MySQLTuner-perl
 # [2] https://github.com/major/MySQLTuner-perl
 BIN=/usr/local/bin
-VERSION=$(gh_releases jmrenouard/MySQLTuner-perl | sort -V | tail -1)
+VERSION=master
 REPO="jmrenouard/MySQLTuner-perl"
-URL="https://raw.githubusercontent.com/$REPO/refs/tags/$VERSION"
+URL="https://raw.githubusercontent.com/$REPO/refs/heads/$VERSION"
 dl "$URL/mysqltuner.pl" $BIN
 mv "$BIN/mysqltuner.pl" $BIN/mysqltuner
 chmod +x "$BIN/mysqltuner"
diff --git a/conf/turnkey.d/zz-ssl-ciphers b/conf/turnkey.d/zz-ssl-ciphers
index 4d274ce0..e76a6594 100755
--- a/conf/turnkey.d/zz-ssl-ciphers
+++ b/conf/turnkey.d/zz-ssl-ciphers
@@ -30,14 +30,6 @@ if [[ -f "$CONF" ]]; then
     sed -i "/tls_medium_cipherlist/ s|ZZ_SSL_CIPHERS|$SECURE_CIPHER_LIST|" $CONF
 fi
 
-# Apache2
-CONF="/etc/apache2/mods-available/ssl.conf"
-if [[ -f "$CONF" ]]; then
-    sed -i "s|^\(\s*SSLCipherSuite\s\+\).*$|\1${SECURE_CIPHER_LIST}|g" $CONF
-    a2enmod ssl
-    a2enconf security
-fi
-
 # Nginx
 CONF="/etc/nginx/snippets/ssl.conf"
 if [[ -f "$CONF" ]]; then
@@ -69,3 +61,5 @@ if [ -d "$PUREFTPDDIR" ]; then
     echo 1 > ${PUREFTPDDIR}/TLS
     echo HIGH:\!TLSv1:\!TLSv1.1:\!SSLv2:\!SSLv3:${SECURE_CIPHER_LIST} > ${PUREFTPDDIR}/TLSCipherSuite
 fi
+
+echo "$SECURE_CIPHER_LIST" > /tmp/ZZ_SSL_CIPHERS
diff --git a/mk/turnkey/apache.mk b/mk/turnkey/apache.mk
index 6902c022..a5996edb 100644
--- a/mk/turnkey/apache.mk
+++ b/mk/turnkey/apache.mk
@@ -1,2 +1,2 @@
 COMMON_OVERLAYS += apache
-COMMON_CONF += apache-vhost apache-headers apache-security
+COMMON_CONF += apache-vhost apache-headers apache-security apache-ssl
diff --git a/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/init.sh b/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/init.sh
index 2feb2d42..f64f5672 100644
--- a/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/init.sh
+++ b/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/init.sh
@@ -25,7 +25,7 @@ export DEBIAN_FRONTEND=noninteractive
 
 # functions for errors and warnings
 fatal() { echo "FATAL: ${@}" >&2; exit 1; }
-warn() { echo "WARN: ${@}" >&2; exit 1; }
+warn() { echo "WARN: ${@}" >&2; }
 
 # check for integers
 # if any elements of $@ are _not_ integers - will return 1
diff --git a/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/tkl_download.bash b/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/tkl_download.bash
new file mode 100644
index 00000000..9bbc32c8
--- /dev/null
+++ b/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/tkl_download.bash
@@ -0,0 +1,23 @@
+# (c) 2026 - TurnKey GNU/Linux - all rights reserved
+#
+# This script is part of TKLDev BashLib.
+#
+# The source can be located locally on TKLDev:
+#   ${FAB_PATH}/common/overlays/turnkey.d/tkl-bashlib
+#
+# To use it within a conf script, first source the base 'init' script:
+#
+#   source /usr/local/src/tkl-bashlib/init
+#
+# For more info, including licence, please see the README.rst (should be in
+# the same dir as this file).
+
+dl() {
+	cd "$2"
+	if [[ "$FAB_HTTP_PROXY" ]]; then
+		http_proxy="$FAB_HTTP_PROXY" https_proxy="$FAB_HTTPS_PROXY" wget "$1"
+	else
+		wget "$1"
+	fi
+	cd -
+}