🔐 Apache Web Server Security Guide

Securing your Apache server is critical to protect your websites, data, and infrastructure. This guide will help you lock it down using best practices. 🚨🛡️

🚪 1. Disable Directory Listing

<Directory /var/www/html>
  Options -Indexes
</Directory>

🚫 Prevents users from browsing directories without an index file.

🚷 2. Restrict Access to Sensitive Files

<FilesMatch "(\.htaccess|\.htpasswd|\.env|composer\.json)">
  Require all denied
</FilesMatch>

🔐 Blocks direct access to common sensitive config files.

🔄 3. Keep Apache & System Updated

sudo apt update && sudo apt upgrade

📦 Apply latest security patches regularly.

🛡️ 4. Use the `ServerTokens` and `ServerSignature` Directives

ServerTokens Prod
ServerSignature Off

🔍 Hides Apache version info from headers and error pages.

🚦 5. Configure Firewall (UFW Example)

sudo ufw allow 'Apache Full'
sudo ufw enable

🧱 Ensures only HTTP/HTTPS traffic is allowed through the firewall.

🌐 6. Enable HTTPS (SSL/TLS)

Use Certbot to enable SSL:

sudo apt install certbot python3-certbot-apache
sudo certbot --apache

🔐 Secures traffic with free Let’s Encrypt certificates.

🚫 7. Disable Unused Modules

sudo a2dismod autoindex cgi status

⚙️ Reduces potential attack surface by disabling unneeded modules.

🛠️ 8. Use `.htaccess` Security

<FilesMatch "^.*\.(php|php5|php7|phtml)$">
  SetHandler application/x-httpd-php
</FilesMatch>

<FilesMatch "^.*\.(bak|config|sql|ini)$">
  Require all denied
</FilesMatch>

🧤 Adds extra security for PHP and config files via .htaccess.

🔍 9. Monitor Logs Regularly

tail -f /var/log/apache2/access.log
journalctl -xe | grep apache2

📈 Spot suspicious activity early with frequent log reviews.

🧠 10. Disable .htaccess if Not Needed

AllowOverride None

🛑 Prevents abuse of .htaccess if site doesn’t need it (improves performance too).

✅ Summary Checklist

Security Step	Purpose
🔒 Disable Directory Index	Stop directory browsing
🚫 Block Sensitive Files	Protect .env, .htaccess, etc.
💾 Regular Updates	Apply latest security patches
🙈 Hide Server Info	Disable ServerTokens and ServerSignature
🧱 UFW Firewall	Allow only HTTP and HTTPS
🔐 Use SSL/TLS	Encrypt all traffic with Let’s Encrypt
⚙️ Remove Unused Modules	Limit what Apache exposes
🛠️ Harden .htaccess	Restrict risky file types
📊 Monitor Logs	Detect and respond to intrusions early
🛑 Disable AllowOverride	Only when .htaccess is not required

🎉 With these steps, your Apache server is now safer, faster, and more secure. Stay vigilant and keep your configs clean and up to date! 💪

Would you like the next one on .htaccess.md or performance-tuning.md? 🚀

🚪 1. Disable Directory Listing​

🚷 2. Restrict Access to Sensitive Files​

🔄 3. Keep Apache & System Updated​

🛡️ 4. Use the ServerTokens and ServerSignature Directives​

🚦 5. Configure Firewall (UFW Example)​

🌐 6. Enable HTTPS (SSL/TLS)​

🚫 7. Disable Unused Modules​

🛠️ 8. Use .htaccess Security​

🔍 9. Monitor Logs Regularly​

🧠 10. Disable .htaccess if Not Needed​

✅ Summary Checklist​