Recommended Apache Modules

Here are some additional configurations and Apache modules that are commonly recommended for security, performance, and convenience:

  1. mod_rewrite: Allows URL rewriting, which is useful for SEO-friendly URLs and redirecting HTTP to HTTPS.

    
    sudo a2enmod rewrite
    
  2. mod_security: Provides an application firewall to protect against common web exploits.

    
    sudo apt-get install libapache2-mod-security2
    sudo a2enmod security2
    
  3. mod_evasive: Helps to protect against DoS, DDoS, and brute force attacks.

    
    sudo apt-get install libapache2-mod-evasive
    sudo a2enmod evasive
    
  4. mod_ssl: Enables SSL/TLS support.

    
    sudo a2enmod ssl
    
  5. mod_deflate: Compresses content before sending it to clients, reducing bandwidth usage.

    
    sudo a2enmod deflate
    
  6. mod_expires: Controls caching to improve performance.

    
    sudo a2enmod expires
    
  7. mod_headers: Allows the use of HTTP headers for security and performance tuning.

    
    sudo a2enmod headers
    

Additional Configuration for Performance and Security

  1. Enable Gzip Compression: Add the following to your Apache configuration to enable Gzip compression:

    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
    </IfModule>
    
  2. Set Cache Expiry Headers: Add the following to your Apache configuration to set cache expiry headers:

    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresByType image/jpg "access plus 1 year"
        ExpiresByType image/jpeg "access plus 1 year"
        ExpiresByType image/gif "access plus 1 year"
        ExpiresByType image/png "access plus 1 year"
        ExpiresByType text/css "access plus 1 month"
        ExpiresByType text/html "access plus 1 hour"
        ExpiresByType application/javascript "access plus 1 month"
        ExpiresByType text/javascript "access plus 1 month"
        ExpiresDefault "access plus 1 month"
    </IfModule>
    
  3. Basic Security Headers: Add the following to enhance security with basic HTTP headers:

    <IfModule mod_headers.c>
        Header always set X-Frame-Options "SAMEORIGIN"
        Header always set X-XSS-Protection "1; mode=block"
        Header always set X-Content-Type-Options "nosniff"
        Header always set Referrer-Policy "no-referrer-when-downgrade"
        Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self'; frame-src 'self'; font-src 'self'; connect-src 'self'"
    </IfModule>
    
  4. Setup ModSecurity: After installing ModSecurity, configure it by editing the main configuration file:

    sudo nano /etc/modsecurity/modsecurity.conf
    

    Change SecRuleEngine from DetectionOnly to On:

    SecRuleEngine On
    
  5. Enable HTTP/2: HTTP/2 can improve performance. Add the following to your SSL virtual host configuration:

    <IfModule mod_http2.c>
        Protocols h2 http/1.1
    </IfModule>
    

Example Final Configuration

Combining all the recommendations, your Apache configuration might look like this:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName sitename.com
    ServerAlias www.sitename.com
    DocumentRoot /var/www/html/sitename.com

    <Directory "/var/www/html/sitename.com">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <Directory "/var/www/html/sitename.com/.well-known/acme-challenge">
        Options None
        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # Redirect all HTTP traffic to HTTPS
    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName sitename.com
    ServerAlias www.sitename.com
    DocumentRoot /var/www/html/sitename.com

    <Directory "/var/www/html/sitename.com">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <Directory "/var/www/html/sitename.com/.well-known/acme-challenge">
        Options None
        AllowOverride None
        Require all granted
    </Directory>

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/sitename.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sitename.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # Security headers
    <IfModule mod_headers.c>
        Header always set X-Frame-Options "SAMEORIGIN"
        Header always set X-XSS-Protection "1; mode=block"
        Header always set X-Content-Type-Options "nosniff"
        Header always set Referrer-Policy "no-referrer-when-downgrade"
        Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self'; frame-src 'self'; font-src 'self'; connect-src 'self'"
    </IfModule>

    # Enable HTTP/2
    <IfModule mod_http2.c>
        Protocols h2 http/1.1
    </IfModule>

    # Enable Gzip Compression
    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
    </IfModule>

    # Set Cache Expiry Headers
    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresByType image/jpg "access plus 1 year"
        ExpiresByType image/jpeg "access plus 1 year"
        ExpiresByType image/gif "access plus 1 year"
        ExpiresByType image/png "access plus 1 year"
        ExpiresByType text/css "access plus 1 month"
        ExpiresByType text/html "access plus 1 hour"
        ExpiresByType application/javascript "access plus 1 month"
        ExpiresByType text/javascript "access plus 1 month"
        ExpiresDefault "access plus 1 month"
    </IfModule>
</VirtualHost>

Apply Configuration

  1. Enable Necessary Modules:

    sudo a2enmod rewrite headers security2 evasive ssl deflate expires http2
    
  2. Restart Apache:

    sudo systemctl restart apache2
    

By applying these configurations and enabling these modules, you can significantly improve the performance, security, and flexibility of your Apache server.

Scroll to Top