Here are some additional configurations and Apache modules that are commonly recommended for security, performance, and convenience:
Recommended Apache Modules
mod_rewrite: Allows URL rewriting, which is useful for SEO-friendly URLs and redirecting HTTP to HTTPS.
sudo a2enmod rewrite
mod_security: Provides an application firewall to protect against common web exploits.
sudo apt-get install libapache2-mod-security2 sudo a2enmod security2
mod_evasive: Helps to protect against DoS, DDoS, and brute force attacks.
sudo apt-get install libapache2-mod-evasive sudo a2enmod evasive
mod_ssl: Enables SSL/TLS support.
sudo a2enmod ssl
mod_deflate: Compresses content before sending it to clients, reducing bandwidth usage.
sudo a2enmod deflate
mod_expires: Controls caching to improve performance.
sudo a2enmod expires
mod_headers: Allows the use of HTTP headers for security and performance tuning.
sudo a2enmod headers
Additional Configuration for Performance and Security
Enable Gzip Compression: Add the following to your Apache configuration to enable Gzip compression:
<IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json </IfModule>
Set Cache Expiry Headers: Add the following to your Apache configuration to set cache expiry headers:
<IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpg "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/png "access plus 1 year" ExpiresByType text/css "access plus 1 month" ExpiresByType text/html "access plus 1 hour" ExpiresByType application/javascript "access plus 1 month" ExpiresByType text/javascript "access plus 1 month" ExpiresDefault "access plus 1 month" </IfModule>
Basic Security Headers: Add the following to enhance security with basic HTTP headers:
<IfModule mod_headers.c> Header always set X-Frame-Options "SAMEORIGIN" Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "no-referrer-when-downgrade" Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self'; frame-src 'self'; font-src 'self'; connect-src 'self'" </IfModule>
Setup ModSecurity: After installing ModSecurity, configure it by editing the main configuration file:
sudo nano /etc/modsecurity/modsecurity.conf
Change
SecRuleEngine
fromDetectionOnly
toOn
:SecRuleEngine On
Enable HTTP/2: HTTP/2 can improve performance. Add the following to your SSL virtual host configuration:
<IfModule mod_http2.c> Protocols h2 http/1.1 </IfModule>
Example Final Configuration
Combining all the recommendations, your Apache configuration might look like this:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName sitename.com
ServerAlias www.sitename.com
DocumentRoot /var/www/html/sitename.com
<Directory "/var/www/html/sitename.com">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html/sitename.com/.well-known/acme-challenge">
Options None
AllowOverride None
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Redirect all HTTP traffic to HTTPS
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName sitename.com
ServerAlias www.sitename.com
DocumentRoot /var/www/html/sitename.com
<Directory "/var/www/html/sitename.com">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html/sitename.com/.well-known/acme-challenge">
Options None
AllowOverride None
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/sitename.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sitename.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Security headers
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self'; frame-src 'self'; font-src 'self'; connect-src 'self'"
</IfModule>
# Enable HTTP/2
<IfModule mod_http2.c>
Protocols h2 http/1.1
</IfModule>
# Enable Gzip Compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>
# Set Cache Expiry Headers
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/html "access plus 1 hour"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresDefault "access plus 1 month"
</IfModule>
</VirtualHost>
Apply Configuration
Enable Necessary Modules:
sudo a2enmod rewrite headers security2 evasive ssl deflate expires http2
Restart Apache:
sudo systemctl restart apache2
By applying these configurations and enabling these modules, you can significantly improve the performance, security, and flexibility of your Apache server.