Apache Setup

Last Edit: 2025.02.27

Debian / Ubuntu

Overview

Install Apache web server and complete initial configuration.

Assumptions

Initial System Setup completed.
Acme.sh Setup completed.
Logged in as administrative user.

Update

Before getting started, update package repositories and apply upgrades for the latest patches.

# Debian
sudo apt update
sudo apt upgrade

Install Apache

Install Apache package apache2 using apt.

sudo apt install apache2

Apache is enabled by default, verify this and check that it is running.

sudo systemctl status apache2

Configure Apache

Configure Apache as required by the web service.

security.conf

Some Apache configurations should by modified from their default state for optimal security. Open Apache’s security.conf file in your text editor of choice.

sudo nano /etc/apache2/conf-available/security.conf

By default, Apache will publicly display some sensitive information about your server including Apache version and OS type. Apache will also respond to TRACE requests by default, which can expose your web server to cross-site tracing (XST).

Change this behavior by setting ServerTokens to production, and disabling ServerSignature and TraceEnable.

ServerTokens Prod
ServerSignature Off
TraceEnable Off

Set the headers X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection so that they will be applied to all virtual hosts by default. These can be overridden on a per-host basis.

X-Content-Type-Options is used to disable MIME type sniffing.

X-Frame-Options is used to prevent your sites content from being loaded in third party iframes or embeds, to prevent click-jacking.

X-XSS-Protection enables XSS filtering, this is the default behavior on modern browsers and is included for legacy support.

Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Header set X-XSS-Protection "1; mode=block"

ports.conf

Define ports that Apache should listen on in the ports.conf file.

sudo nano /etc/apache2/ports.conf

The default configuration is acceptable if running on standard ports 80 (HTTP) and 443 (HTTPS).

Listen 80

<IfModule ssl_module>
	Listen 443
</IfModule>

Apache Modules

Enable the Apache headers module for the configured headers.

sudo a2enmod headers

Enable the Apache ssl module f or SSL support.

sudo a2enmod ssl

Restart Apache to apply changes.

sudo systemctl restart apache2

Create Web Directory

Store Apache website files /var/www/ directory. Create a directory named after your domain example.com, and a directory to actually store your website files within it public. The document root for the website will be /var/www/example.com/public/.

sudo mkdir -p /var/www/example.com/public

Configure Apache as the owner of the web directory.

sudo chown -R www-data:www-data /var/www/example.com

Set the directory permissions so that the owner can read / write / execute, and the group can read / execute. Add yourself to the www-data group for continued navigability of the directory.

sudo chmod -R 750 /var/www/example.com

sudo usermod -aG www-data exampleuser

Virtual Hosts

Configure an HTTPS or HTTP Apache virtual host for the webserver.

Apache can use name-based routing, allowing multiple websites on the same port as long as ServerName is defined.

Create a new virtual host configuration file in the /etc/apache2/sites-available/ directory.

sudo nano /etc/apache2/sites-available/example.com.conf

HTTPS Host

Configure an HTTPS virtual host. Verify a certificate has been generated and is present on the system, commonly in the /etc/apache2/ssl directory.

If the system does not have a certificate, generate and install a Let’s Encrypt certificate with Acme.sh.

If the system cannot generate a certificate with Let’s Encrypt, a self-signed certificate can be generated instead. This will result in TLS warnings.

# Only use for self signed certs
sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/apache2/ssl/apache-selfsigned.key -out /etc/apache2/ssl/apache-selfsigned.pem

Consider the below template configuration. Notable required changes are as follows.

Setting	Value	Description
HTTP Host (80)	—	—
ServerName	`example.com`	Primary site domain.
ServerAlias	`www.example.com`	Optional alias domain.
Redirect	`/ https://example.com/`	Redirect all HTTP traffic to HTTPS.
HTTPS Host (443)	—	—
ServerAdmin	`[email protected]`	Public email address.
ServerName	`example.com`	Primary site domain.
ServerAlias	`www.example.com`	Optional alias domain.
DocumentRoot	`/var/www/example.com/public`	Site document root.
SSLCertificateFile	`/etc/apache2/ssl/example-cr.pem`	Path to certificate file.
SSLCertificateKeyFile	`/etc/apache2/ssl/example-cr.key`	Path to key file.
SSLCACertificateFile	`/etc/apache2/ssl/example-ca.pem`	Optional, path to CA certificate file.
<Directory>	`/var/www/example.com/public/`	Path to apply directory rules.

<VirtualHost *:80>
	ServerName example.com
	ServerAlias www.example.com
	Redirect / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin [email protected]
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com/public
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/example-cr.pem
  SSLCertificateKeyFile /etc/apache2/ssl/example-cr.key
  SSLCACertificateFile /etc/apache2/ssl/example-ca.pem

  <Directory /var/www/example.com/public/>
    Options -Indexes -FollowSymLinks
    Order deny,allow
    AllowOverride none
  </Directory>
</VirtualHost>

When using a cloud provider as a proxy for this web server, authenticated origin pulls may be configured. When using authenticated origin pulls, add the following configuration to the HTTPS virtual host.

  SSLVerifyClient require
  SSLVerifyDepth 1

HTTP Host

Configure an HTTP virtual host if the system will not be using HTTPS. This should be avoided, configure HTTPS instead. Refer to the above settings table for configuration information.

<VirtualHost *:80>
  ServerAdmin [email protected]
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com/public
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory /var/www/example.com/public/>
    Options -Indexes -FollowSymLinks
    Order deny,allow
    AllowOverride none
  </Directory>
</VirtualHost>

Enable Virtual Host

Test the Apache configuration, returns Syntax OK.

sudo apache2ctl configtest

Disable the default host configuration using Apache’s a2dissite command.

sudo a2dissite 000-default.conf

Enable the configured virtual host using a2ensite command.

sudo a2ensite example.com.conf

Finally, restart Apache to apply configuration changes.

sudo systemctl restart apache2

Firewall

Allow connections on the system firewall to the configured HTTP and HTTPS ports, 80 and 443 by default.

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

Reload the firewall to apply changes.

sudo ufw reload

Check the firewall status to see what connections are currently being accepted.

sudo ufw status