To improve Apache security, we need to start from module management, permission control, SSL encryption, log monitoring, etc. 1. Close unnecessary modules such as mod_imap, mod_info, etc., and make use of the LoadModule line and restart the service; 2. Set the root directory permissions to 755 and below, restrict write permissions, and disable directory traversal and script execution in the configuration; 3. Enable HTTPS, use Let's Encrypt certificate and disable the old version of the protocol and weak encryption suite; 4. Check the access and error logs regularly, combine fail2ban to block abnormal IP, and use IP-restricted access to sensitive paths.
Apache is the underlying service of many websites, and security is directly related to whether the entire site will be attacked. I want to make it safer, but it is not complicated, but there are many details that are easily overlooked.
Close unnecessary modules
Apache has many modules installed by default, some of which are not available at all, and may become a safety hazard. For example, mod_imap , mod_info , mod_status modules, if they are not used, turn them off. The method is to comment out or delete the corresponding LoadModule line in the configuration file.
- Use
httpd -Morapache2ctl -Mto view the currently enabled module - Modify
httpd.conforapache2.confto close unwanted modules - Remember to restart Apache every time after the modification:
systemctl restart apache2orservice httpd restart
The advantage of this is to reduce the potential attack surface and also enable the server to run lighter and faster.
Set appropriate permissions and directory access control
By default, the root directory of Apache (DocumentRoot) is usually /var/www/html . The permissions of this directory must be set well and cannot be written to by everyone. General suggestions:
- The owner is set to
rootor dedicated user, and the group can bewww-data(Ubuntu) orapache(CentOS) - Set permission to
755or lower to ensure that only administrators can modify content - Restrict access in
.htaccessor virtual host configuration
For example, add:
<Directory /var/www/html>
Options None
AllowOverride None
Require all granted
</Directory>This can prevent common problems such as directory traversal and script execution.
Enable SSL/TLS encrypted connections
Now almost all websites should enable HTTPS. You can do this using the Let's Encrypt free certificate.
- Install Certbot and its Apache plug-in
- Use the command
certbot --apacheto automatically configure the certificate - Check if the configuration automatically redirects HTTP to HTTPS
- Periodically test whether the certificate update is normal (can use
certbot renew --dry-run)
After the SSL configuration is complete, remember to disable the old version of the protocol (such as SSLv3) and weak encryption suite on the server to avoid being attacked by man-in-the-middle.
Log monitoring and access restrictions
By default, Apache will record access logs and error logs. These logs are not only troubleshooting tools, but also help you discover abnormal behaviors, such as frequent 404 requests or attempts to scan for vulnerabilities.
- Check logs regularly:
/var/log/apache2/access.logand/var/log/apache2/error.log - Combined with tools such as
fail2banto automatically block abnormal IPs - Restrict access to certain paths in configuration, such as the background management page only allows access to specific IPs:
<Directory /var/www/html/admin>
Require ip 192.168.1.0/24
</Directory>In this way, even if someone guesses the background address, they can't get in.
Basically that's it. Apache’s security reinforcement does not require much advanced technology. The key is to make the foundation solid, check the configuration and log regularly, and do not leave back doors.
The above is the detailed content of How to secure an Apache web server?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Why won't Apache start after a configuration change?
Jun 19, 2025 am 12:05 AM
Apachenotstartingafteraconfigurationchangeisusuallycausedbysyntaxerrors,misconfigurations,orruntimeissues.(1)First,checktheconfigurationsyntaxusingapachectlconfigtestorhttpd-t,whichwillidentifyanytypos,incorrectpaths,orunclosedblockslikeor.(2)Next,re
How to configure sticky sessions with mod_proxy_balancer?
Jun 14, 2025 am 12:10 AM
To enable sticky sessions, you need to configure mod_proxy_balancer and related modules and set the correct sessioncookie. 1. Enable the necessary modules: mod_proxy, mod_proxy_http, mod_proxy_balancer, mod_lbmethod_byrequests and optional mod_session; 2. Configure the virtual host file, define the BalancerMember and specify the route identifier, and use ProxySet to set the lbmethod load algorithm and stickysession parameters; 3. Set the correct cookie name such as JSE according to the backend application type
What is the difference between the Prefork, Worker, and Event MPMs?
Jun 20, 2025 am 12:01 AM
The MPM selection of ApacheHTTPServer depends on performance requirements and module compatibility. 1.Prefork runs in a multi-process mode, with high stability but high memory consumption, and is suitable for scenarios where non-thread-safe modules such as mod_php are used; 2. Worker adopts a multi-threaded hybrid model, with higher memory efficiency, and is suitable for environments where modules are thread-safe and require concurrent processing; 3. Event optimizes connection management based on Worker, especially suitable for modern architectures with high traffic and support asynchronous operations. Selecting the most suitable MPM according to actual application can balance resource occupation and service stability.
How to enable or disable an Apache module using a2enmod/a2dismod?
Jun 24, 2025 am 12:01 AM
The easiest way to enable or disable Apache modules is to use the a2enmod and a2dismod commands. 1.a2enmod enables modules by creating a symbolic link from mods-available to mods-enabled; 2.a2dismod disables modules by deleting this link; 3. When enabling modules, you need to run sudoa2enmod [module name] and restart Apache; 4. When disabling modules, use sudoa2dismod [module name] and restart the service; 5. Pay attention to the accuracy and dependencies of the module names to avoid configuration errors; 6. After modification, you should test the configuration and clean old references to prevent problems; 7. These commands are only applicable to Debian/Ubu
How to enable KeepAlive to speed up my website?
Jul 08, 2025 am 01:15 AM
Enabling KeepAlive can significantly improve website performance, especially for pages that load multiple resources. It reduces connection overhead and speeds up page loading by keeping the browser and server connection open. If the site uses a large number of small files, has duplicate visitors, or attaches importance to performance optimization, KeepAlive should be enabled. When configuring, you need to pay attention to setting a reasonable timeout time and number of requests, and test and verify its effect. Different servers such as Apache, Nginx, etc. all have corresponding configuration methods, and you need to pay attention to compatibility issues in HTTP/2 environments.
How to change the default port for Apache from 80 to 8080?
Jul 01, 2025 am 12:18 AM
The steps for Apache to modify the default port to 8080 are as follows: 1. Edit the Apache configuration file (such as /etc/apache2/ports.conf or /etc/httpd/conf/httpd.conf), and change Listen80 to Listen8080; 2. Modify the tag port in all virtual host configurations to 8080 to ensure that it is consistent with the listening port; 3. Check and open the support of the 8080 port by firewall (such as ufw and firewalld); 4. If SELinux or AppArmor is enabled, you need to set to allow Apache to use non-standard ports; 5. Restart the Apache service to make the configuration take effect; 6. Browser access
What is the performance impact of using .htaccess files?
Jun 18, 2025 am 12:14 AM
Using .htaccess files can negatively affect web server performance, especially in cases of high frequency access or improper configuration. The main problem is that every request reads the .htaccess file, which adds additional overhead compared to directives that directly write to the main configuration file (such as httpd.conf). Specifically manifested as: 1. Apache will look for the .htaccess file in the directory in each request, and search even if it does not exist, resulting in more disk I/O and affecting the response speed; 2. The rules in htaccess will be re-parsed and executed every time they request, including URL rewriting, authentication, redirection, etc., while the instructions in the main configuration file will only start or reload Apache.
How to set a custom 404 error page using .htaccess?
Jun 13, 2025 am 12:24 AM
To set up a custom 404 error page, please follow the following steps: 1. Prepare a friendly and useful link 404 page file (such as 404.html or notfound.php) and place it in the website root directory or fixed subdirectory; 2. Edit the .htaccess file under the website root directory, add "ErrorDocument404/404.html" or the corresponding path command to specify the custom page; 3. Test whether the configuration takes effect by accessing non-existent pages, and troubleshoot possible file paths, permissions, or server type issues; 4. Pay attention to spelling errors, cache impact, and server compatibility (such as Nginx requires other configuration methods). Just make sure the path is correct and
