From wiki.techunit.org
Jump to: navigation, search


Aim of this page is to provide a simple guide to manage Apache Web service. Apache is the world's most used web server.
We will see how to secure your Apache configuration, how to use Virtualhosts and the useful commands to manage and debug your configuration.

  • Realized on debian 8
  • Apache version : 2.4

See Also

Migration to Apache2

Configure Varnish with Apache to provide HTTPS

How to configure Apache SSL module

Optimize your Apache performances with modules


Install packages

aptitude install apache2 -y
  • Congrats, Apache is installed and is running.

Files location

  • Configuration : /etc/apache2/*
  • Default web directory : /var/www/html


Creating virtual host configurations on your Apache server does not magically cause DNS entries to be created for those host names. You must have the names in DNS, resolving to your IP address, or nobody else will be able to see your web site. You can put entries in your hosts file for local testing, but that will work only from the machine with those hosts entries.


  • Create your site directory and index
mkdir -p /var/www/www.example.com
echo "Hello b*tches!" > /var/www/www.example.com/index.html
chown www-data: /var/www/www.example.com
  • Create the Vhost config file : /etc/apache2/sites-available/www.example.com.conf
tee /etc/apache2/sites-available/www.example.com.conf << EOF &> /dev/null
<VirtualHost *:80>
    DocumentRoot "/var/www/www.example.com"
    ServerName www.example.com
    # Other directives here
  • Disable default vhost / enable www.example.com
a2dissite 000-default
a2ensite www.example.com
service apache2 reload

Config file autopsy

#Listen on all network interface, on port 80
<VirtualHost *:80>
    #Site root directory
    DocumentRoot "/var/www/www.example.com"

    #Match the names
    ServerName www.example.com
    ServerAlias example example.com
    ServerAlias *.example.com

    #contact in case of technical issue
    ServerAdmin www-admin@foo.example.com 

    LogLevel info #debug
    CustomLog /var/log/apache2/example.com.access.log combined
    ErrorLog /var/log/apache2/example.com.errors.log

    #index file
    DirectoryIndex index.html index.htm index.php

    #Enable/disable options applied to directory
    <Directory "/var/www/www.example.com">
     Options Indexes FollowSymLinks
     Options +Indexes -FollowSymLinks -ExecCGI
     Options -Indexes -FollowSymLinks -ExecCGI

     Order Deny,Allow
     Allow from all
     Deny from all
     Allow from

Reverse proxy

  • Enable mod proxy
a2enmod proxy_http
a2enmod proxy
service apache2 restart
  • Edit And modify the Vhost
<VirtualHost *:80>
    ServerName www.example.com
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://www.int.example.com:8080/
    ProxyPassReverse / http://www.int.example.com:8080/

Rewrite URL

  • Enable mod rewrite
a2enmod rewrite
service apache2 restart
  • Edit And modify the Vhost
<VirtualHost *:80>
    ServerName www.example1.com
    RewriteEngine on
    #Redirect to HTTPS
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

<VirtualHost *:80>
    ServerName www.example2.com
    RewriteEngine on
    #Redirect to another URL
    RewriteRule ^ http://www.example3.com%{REQUEST_URI} [END,QSA,R=permanent]

HTTPS vhost sample

a2enmod ssl
service apache2 restart
  • Edit and adapt your virtualhost
<IfModule mod_ssl.c>
ServerName www.example.com
DocumentRoot /var/www/www.example.com
SSLEngine On
SSLCertificateFile /path/to/your/www.example.com.crt.pem
SSLCertificateKeyFile /path/to/your/www.example.com.key.pem

Modify Apache default port

  • Edit /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

#Default HTTP
#Listen 80
Listen 8080

<IfModule ssl_module>
        #Default HTTPS
        #Listen 443
        Listen 8443

<IfModule mod_gnutls.c>
        #Default HTTPS
        #Listen 443
        Listen 8443

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost *:8080>
    DocumentRoot "/var/www/www.example.com"
    ServerName www.example.com
    # Other directives here
  • Restart apache
service apache2 restart

Secure your configuration from public access

Hide Apache Version and OS Identity

  • BEFORE - I use this command to show that Apache display the version used and server distribution (curl package needed):
curl |grep Apache
#>>> <address>Apache/2.4.10 (Debian) Server at Port 80</address>
  • Edit /etc/apache/apache2.conf, search and modify/add theses lines:
ServerSignature Off
ServerTokens Prod
  • Restart Apache : service apache2 restart
  • AFTER :
curl |grep Apache
#>>> No informations provided

Enable additional modules


  • This feature is a free web application firewall, here we will just see how to enable it, but I suggest you to configure it (a full article about it is coming).
aptitude install libapache2-mod-security2 -y
cp /etc/modsecurity/modsecurity.conf{-recommended,}
service apache2 reload


  • mod_evasive takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack.
aptitude install libapache2-mod-evasive -y
  • Add this block to /etc/apache2/apache2.conf
<ifmodule mod_evasive20.c>
 DOSHashTableSize 3097
 DOSPageCount 20
 DOSSiteCount 100
 DOSPageInterval 1
 DOSSiteInterval 1
 DOSBlockingPeriod 10
 DOSLogDir /var/log/apache2/mod_evasive.log

Check those points

Useful commandlines


#Elegant restart
apache2ctl graceful
#Check config (before restart)
apache2ctl configtest
#display status
apache2ctl fullstatus


vhost management

a2ensite www.example.com
a2dissite www.example.com

module management

a2enmod modname
a2dismod modname

config management

a2enconf confname
a2disconf confname


techUnit's cofounder