Apache HTTP Server
World's most widely used web server with extensive track record. All-around functionality, rich module support, default script language support including PHP.
Application Server
Apache HTTP Server
Overview
Apache HTTP Server (commonly known as Apache or httpd) is the world's most widely used open-source web server software. With decades of proven track record in production environments, Apache provides comprehensive web server functionality through its modular architecture. It offers robust support for various technologies including PHP, Python, and other server-side languages, making it the foundation for countless websites worldwide. Apache combines reliability, security, and flexibility to serve everything from simple static websites to complex enterprise applications.
Details
Apache HTTP Server 2025 edition continues its dominance as one of the two major web servers globally, alongside Nginx. With over 25 years of development history, Apache has established itself as the gold standard for web server reliability and feature completeness. Its modular architecture allows for extensive customization through hundreds of available modules, supporting everything from authentication systems to content compression. Apache excels in environments requiring complex configurations, .htaccess support, and comprehensive scripting language integration. The server handles both static and dynamic content efficiently, with built-in support for virtual hosting, SSL/TLS encryption, and advanced logging capabilities.
Key Features
- Modular Architecture: Extensive module system for customization and feature extension
- Multi-platform Support: Runs on virtually all operating systems including Linux, Windows, macOS
- Virtual Hosting: Host multiple websites on a single server instance
- Comprehensive Authentication: Built-in support for various authentication mechanisms
- Flexible Configuration: Powerful configuration system with .htaccess support
- SSL/TLS Support: Complete HTTPS implementation with modern security standards
Advantages and Disadvantages
Advantages
- Industry-standard web server with extensive documentation and community support
- Highly stable and reliable performance in production environments
- Comprehensive feature set covering virtually all web server requirements
- Excellent integration with PHP, Perl, Python, and other server-side technologies
- Flexible configuration options including per-directory .htaccess files
- Strong security features with regular updates and patches
- Wide hosting provider support and extensive third-party module ecosystem
Disadvantages
- Higher memory consumption compared to lightweight alternatives like Nginx
- Performance can degrade under extremely high concurrent connection loads
- Complex configuration can be overwhelming for simple use cases
- .htaccess processing adds overhead to request handling
- Thread-based model may not be optimal for all workload types
- Some modern features require additional module installation and configuration
Reference Links
- Apache HTTP Server Official Website
- Apache HTTP Server Documentation
- Apache HTTP Server GitHub Repository
Configuration Examples
Basic Installation and Setup
# Install Apache on Ubuntu/Debian
sudo apt update
sudo apt install apache2
# Install Apache on CentOS/RHEL
sudo yum install httpd
# Install Apache on macOS using Homebrew
brew install httpd
# Verify Apache installation
httpd -v
apache2 -v # On Ubuntu/Debian systems
# Check Apache modules
httpd -M
apache2ctl -M # On Ubuntu/Debian systems
Basic Virtual Host Configuration
# Virtual host configuration in httpd.conf or sites-available
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example
# Custom log files
CustomLog /var/log/apache2/example_access.log combined
ErrorLog /var/log/apache2/example_error.log
# Directory permissions
<Directory /var/www/html/example>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
# SSL Virtual Host
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html/example
# SSL Configuration
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example.key
SSLCertificateChainFile /etc/ssl/certs/chain.crt
# Modern SSL configuration
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!MD5:!DSS
SSLHonorCipherOrder off
SSLSessionTickets off
# Security headers
Header always set Strict-Transport-Security "max-age=63072000"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
</VirtualHost>
Essential Apache Configuration
# Main configuration file (httpd.conf)
# Server basics
ServerRoot /etc/apache2
Listen 80
Listen 443 ssl
# User and group for Apache process
User www-data
Group www-data
# Server identification
ServerTokens Prod
ServerSignature Off
# Performance tuning
Timeout 60
KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 100
# Prefork MPM configuration (for PHP)
<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxRequestWorkers 256
MaxConnectionsPerChild 0
</IfModule>
# Worker MPM configuration (for high performance)
<IfModule mpm_worker_module>
StartServers 3
MinSpareThreads 75
MaxSpareThreads 250
ThreadsPerChild 25
MaxRequestWorkers 400
MaxConnectionsPerChild 0
</IfModule>
# Load essential modules
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule headers_module modules/mod_headers.so
LoadModule deflate_module modules/mod_deflate.so
# Content compression
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \
\.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
</IfModule>
# Security configuration
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
# Hide sensitive files
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
# Prevent access to version control directories
<DirectoryMatch "/\.(svn|git|hg|bzr)">
Require all denied
</DirectoryMatch>
.htaccess Configuration Examples
# URL rewriting for clean URLs
RewriteEngine On
# Remove trailing slashes
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)/$ /$1 [R=301,L]
# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Pretty URLs for a web application
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]+)/?$ /index.php?page=$1 [L,QSA]
# Cache control for static assets
<IfModule mod_expires.c>
ExpiresActive on
# Images
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
# CSS and JavaScript
ExpiresByType text/css "access plus 1 week"
ExpiresByType application/javascript "access plus 1 week"
ExpiresByType text/javascript "access plus 1 week"
# Fonts
ExpiresByType font/woff2 "access plus 1 year"
ExpiresByType application/font-woff2 "access plus 1 year"
</IfModule>
# Security headers
<IfModule mod_headers.c>
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'"
</IfModule>
# Password protection for specific directory
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
# IP-based access control
<RequireAll>
Require ip 192.168.1
Require ip 10.0.0
</RequireAll>
PHP Integration Configuration
# PHP module configuration
<IfModule mod_php7.c>
# PHP configuration directives
php_admin_value upload_max_filesize 64M
php_admin_value post_max_size 64M
php_admin_value memory_limit 256M
php_admin_value max_execution_time 300
# Disable dangerous functions
php_admin_value disable_functions "exec,passthru,shell_exec,system,proc_open"
# Hide PHP version
php_admin_flag expose_php Off
</IfModule>
# PHP-FPM configuration (alternative to mod_php)
<IfModule mod_proxy_fcgi.c>
# PHP-FPM backend
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php/php8.1-fpm.sock|fcgi://localhost"
</FilesMatch>
# Security for PHP-FPM
<Proxy "unix:/var/run/php/php8.1-fpm.sock|fcgi://localhost">
ProxySet timeout=300
</Proxy>
</IfModule>
# Directory index for PHP applications
DirectoryIndex index.php index.html index.htm
# Prevent direct access to PHP includes
<FilesMatch "\.(inc|conf)$">
Require all denied
</FilesMatch>
Monitoring and Logging Configuration
# Custom log formats
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Virtual host logs
CustomLog /var/log/apache2/access.log combined
ErrorLog /var/log/apache2/error.log
# Log level configuration
LogLevel warn
# Server status monitoring
<IfModule mod_status.c>
<Location "/server-status">
SetHandler server-status
Require ip 127.0.0.1
Require ip 192.168.1
</Location>
# Extended status information
ExtendedStatus On
</IfModule>
# Server info page
<IfModule mod_info.c>
<Location "/server-info">
SetHandler server-info
Require ip 127.0.0.1
</Location>
</IfModule>
# Log rotation with logrotate
# Add to /etc/logrotate.d/apache2
# /var/log/apache2/*.log {
# weekly
# missingok
# rotate 52
# compress
# delaycompress
# notifempty
# create 640 www-data adm
# sharedscripts
# postrotate
# systemctl reload apache2
# endscript
# }
Performance Optimization and Security
# Enable compression for better performance
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>
# Security configurations
<IfModule mod_security2.c>
# Enable ModSecurity
SecRuleEngine On
# Basic rules
SecRule ARGS "@detectSQLi" \
"id:1001,phase:2,block,msg:'SQL Injection Attack Detected'"
SecRule ARGS "@detectXSS" \
"id:1002,phase:2,block,msg:'XSS Attack Detected'"
</IfModule>
# Rate limiting
<IfModule mod_rewrite.c>
RewriteEngine On
# Simple rate limiting (requires mod_rewrite)
RewriteCond %{REMOTE_ADDR} ^(.*)$
RewriteRule ^(.*)$ - [E=REMOTE_ADDR:%1]
# Block IPs with too many requests
RewriteCond %{ENV:RATE_LIMITED} ^1$
RewriteRule ^(.*)$ - [R=429,L]
</IfModule>
# DDoS protection basic configuration
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>
# Limit request size
LimitRequestBody 10485760 # 10MB limit
# Server-side includes security
<IfModule mod_include.c>
XBitHack on
SSILegacyExprParser off
</IfModule>