Apache2 web server

Apache is a thread-per-request server, that is steadily being replaced by event-driven servers such as Nginx or Node.js.

$ sudo apt install apache2

Apache's configuration is found at /etc/apache2/apache2.conf.

πŸ‘‰ You may use an emulator instead of directly installing Apache

  • WAMP server (Windows Apache MySQL PHP) | Notes πŸš€
  • LAMP server (Linux Apache MySQL PHP)
  • MAMP server (macOS Apache MySQL PHP) | Notes ☠️
  • XAMPP (Cross-platform Apache MySQL PHP Perl)

Where to learn?

List of commands

You can use systemctl to handle the apache2 service.

$ sudo systemctl stop apache2
$ sudo systemctl start apache2
$ sudo systemctl reload apache2
$ sudo systemctl restart apache2
$ systemctl status apache2

Apache2 files are located in

$ cd /etc/apache2/conf-available/  # configurations
$ cd /etc/apache2/conf-enabled/    # copies
$ cd /etc/apache2/sites-available/ # websites
$ cd /etc/apache2/sites-enabled/   # copies
$ tail /var/log/apache2/access.log
$ tail /var/log/apache2/error.log

Enable a website

$ cp 000-default.conf example.com.conf # one per website
$ sudo a2ensite example.com.conf
$ sudo a2dissite example.com.conf
$ sudo apache2ctl configtest

Enable a configuration

$ sudo a2enconf some_header.conf

Some modules

$ sudo a2enmod http2
$ sudo a2enmod headers
$ sudo a2enmod ssl
$ sudo a2enmod rewrite

Create a folder xxx for a website, in /var/www/ (usual folder that www-data can read/edit) for a non-root user yyy.

$ sudo mkdir -p /var/www/xxx/
$ sudo chown -R yyy:yyy /var/www/xxx/
$ sudo chmod -R 755 /var/www/xxx/

Sometimes, you may have permission problems. You need to investigate the problem, but one way to fix it is to give www-data the ownership over a directory (allowing them to create/edit files).

$ sudo chown -R www-data:www-data folder/


See also http2.pro.

First, you must indicate that your server supports HTTP2, or HTTP1.1 as a fallback. You must add this to your virtual hosts .conf.

Protocols h2 http/1.1
$ sudo a2enmod http2
$ sudo systemctl start apache2 # ❌ don't

If you try to start the server, you will see an error in error.log.

$ version=7.1
$ sudo apt install php-fpm
$ sudo a2enmod proxy_fcgi setenvif
$ sudo a2enconf php${version}-fpm
$ sudo a2dismod php${version}
$ sudo a2dismod mpm_prefork
$ sudo a2enmod mpm_event
$ sudo systemctl restart apache2

Apache .htaccess

This is a file used to edit the virtual host configuration locally. Simply create a file .htaccess with some instructions inside.

    # add to your configuration
    <Directory /path/to/our/website>
        AllowOverride All
        Require all granted

A .htaccess is applied to a directory and its subdirectories. Every .htaccess in the path to the resource will be loaded. ➑️ In cases of conflict, the nearest (latest) instruction is used.

➑️ See htaccess cheatsheet.

Random instructions

# Disable directory browsing
Options All -Indexes

# Redirect everything (aside from direct access)
# to index.php (when mod_rewrite is not installed)
<IfModule !mod_rewrite.c>
	ErrorDocument 404 index.php

# Add a redirection
Redirect 301 /duck https://duckduckgo.com/

# Deny access to some directories/files
RewriteEngine on
RewriteRule ^/?(\.git|logs|temp|vendor - [F]
RewriteRule /?(README.*|.ht*)$ - [F]

# Limit the size of uploads
LimitRequestBody 512000

Example: block access to everyone aside from localhost

This could be used to only allow a website to access some files such as uploaded avatars. Only can request a resource.

order deny,allow
deny from all
allow from

Example: prompt for basic authentication

The server shows a popup asking for a username, and a password.

AuthUserFile /path/to/some/.htpasswd
AuthName "Protected Files"
AuthType Basic
# username allowed: xxx
Require user xxx

And you need an additional file: /path/to/some/.htpasswd

# username:hashed_password (htpasswd command?)

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

AllowOverride All
  • Disable all ssl aside from TLS 1.2+
# edit /etc/apache2/sites-available/some_config.conf
# Protocols: TLS 1.2, TLS 1.3
SSLProtocol -all +TLSv1.3 +TLSv1.2
# restart: sudo service apache2 restart
# edit /etc/apache2/sites-available/some_config.conf
# append either 1) 2), 3) or sometime else
# don't forget to restart when you're done
# sudo service apache2 restart
SSLHonorCipherOrder on


sudo nano /etc/apache2/conf-enabled/security.conf
# ServerSignature Off
# ServerTokens Prod
$ sudo a2query -m
$ sudo a2enconf # select a conf
$ sudo a2enmod  # select a mod

OCSP Stapling

# use either 1) or 2), don't forget to restart
# restart: sudo service apache2 restart

# Proposition 1)
# edit /etc/apache2/sites-available/some_config.conf
# near the end
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

# Proposition 2)
# in /etc/apache2/mods-available/ssl.conf
# near the end
SSLUseStapling On
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)
  • SSLCompression disabled by default, should stay disabled to prevent attacks such as CRIME.

  • SSLSessionTickets: MUST BE DISABLED (enabled by default) if you are not restarting your server periodically

SSLSessionTickets off

Permissions for files/folders.

# ➑️ If you're using public_html
$ chmod 711 ~
$ chmod 711 ~/public_html
# ➑️ The least permissions
$ chmod 600 file.php # for a .php
$ chmod 644 file.html # for a .html
$ chmod 711 folder # for a folder