Apache Cheatsheet - HTTP Server Config, VirtualHost, .htaccess, Rewrite, SSL, Proxy

Validate Apache configuration syntax before reload. Debian also accepts `apache2ctl configtest`; RHEL usually has `apachectl` or `httpd -t`.

Watch out: Run this before every reload. A broken config can stop a restart cold.

sudo apachectl configtest

sudo apache2ctl configtest

sudo httpd -t

Gracefully reload config while letting existing requests finish.

Watch out: Use restart only when a graceful reload cannot pick up the change.

sudo apachectl graceful

sudo apache2ctl graceful

Systemd reload for Debian `apache2` or RHEL `httpd` service names.

sudo systemctl reload apache2

sudo systemctl reload httpd

sudo systemctl status apache2

List loaded static and shared modules. Fast way to confirm mod_rewrite, mod_proxy, mod_ssl, or mod_headers is active.

apachectl -M | grep rewrite

apache2ctl -M | grep headers

Dump parsed virtual hosts, ports, names, aliases, and default vhost choice.

Watch out: If the wrong site answers a host, this command usually explains why.

sudo apachectl -S

sudo apache2ctl -S

Debian helpers that symlink or unlink files in sites-enabled.

sudo a2ensite example.conf

sudo a2dissite 000-default.conf

sudo systemctl reload apache2

Debian helpers that enable or disable Apache modules.

sudo a2enmod rewrite headers ssl proxy_http

sudo a2dismod autoindex

Base directory for relative Apache config paths. Debian and RHEL use different layouts.

ServerRoot "/etc/apache2"

ServerRoot "/etc/httpd"

Bind Apache to a port or address. Multiple Listen directives can enable IPv4, IPv6, HTTP, and HTTPS.

Watch out: Port already in use errors come from Listen conflicts or another service on the same port.

Listen 80

Listen 443 https

Listen 127.0.0.1:8080

Load optional config files or globs without failing when the glob is empty.

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf

Load a shared module. Most package-managed servers hide this behind a2enmod or conf.modules.d.

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule ssl_module modules/mod_ssl.so

Unix user and group used by worker processes.

Watch out: DocumentRoot files must be readable by this user, not just by your deploy user.

User www-data
Group www-data

User apache
Group apache

Reduce version disclosure in server headers.

ServerTokens Prod

ServerSignature Off

Reuse TCP connections for multiple requests. Usually keep it on for browser traffic.

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5

Define a site for a specific address and port. Name-based vhosts use ServerName and ServerAlias inside this block.

<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/example
</VirtualHost>

Primary hostname for the vhost. Also fixes AH00558 when set globally.

ServerName example.com

ServerName localhost

Additional hostnames that should route to the same vhost.

ServerAlias www.example.com

ServerAlias *.example.net

Filesystem root for static files served by this vhost.

Watch out: DocumentRoot alone is not enough. Add a matching Directory block with access rules.

DocumentRoot "/var/www/site/public"

Default files Apache tries when a request maps to a directory.

DirectoryIndex index.html

DirectoryIndex index.php index.html

Custom error page or response for a status code.

ErrorDocument 404 /404.html

ErrorDocument 503 "Maintenance window"

Attach access, options, and override rules to a filesystem directory.

<Directory "/var/www/site">
    Require all granted
    Options -Indexes +FollowSymLinks
</Directory>

Allow all clients. Common inside a public DocumentRoot Directory block.

Require all granted

Deny all clients. Useful for private directories and default-deny blocks.

Require all denied

Enable or disable directory features such as listings, symlinks, CGI, and includes.

Watch out: `Options Indexes` exposes directory listings when no index file exists.

Options -Indexes +FollowSymLinks

Options None

Ignore .htaccess files under this directory. Best default for performance and reviewability.

AllowOverride None

Allow only selected .htaccess override classes.

Watch out: Prefer narrow classes over `AllowOverride All`.

AllowOverride FileInfo AuthConfig

AllowOverride None

Redirect directory URLs to include a trailing slash so relative links resolve correctly.

DirectorySlash On

Enable mod_rewrite rules in this scope.

Watch out: RewriteRule lines do nothing when RewriteEngine is off or mod_rewrite is not loaded.

RewriteEngine On

Condition applied to the next RewriteRule only.

RewriteCond %{HTTPS} !=on

RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]

Rewrite or redirect a URL path. The pattern matches a path without the leading slash in per-directory and .htaccess context.

Watch out: For redirects, include `[R=301,L]` or `[R=302,L]` so processing stops after the redirect.

RewriteRule ^old/(.*)$ /new/$1 [R=301,L]

RewriteRule ^index\.php$ - [L]

Simple prefix redirect from mod_alias. Easier than mod_rewrite when no conditions are needed.

Redirect 301 /old https://example.com/new

Redirect gone /removed

Regex redirect from mod_alias.

RedirectMatch 301 ^/old/(.*)$ https://example.com/new/$1

Base path for substitutions in per-directory rewrites. Mostly used in .htaccess under a subdirectory.

RewriteBase /app/

Forward matching requests to an upstream server.

Watch out: Trailing slash behavior matters. Pair with ProxyPassReverse for most HTTP apps.

ProxyPass / http://127.0.0.1:3000/

ProxyPass /api/ http://app:8080/api/

Rewrite upstream Location headers back to the public URL.

ProxyPassReverse / http://127.0.0.1:3000/

Send the original Host header to the upstream app.

ProxyPreserveHost On

Tell the upstream app the original scheme behind TLS termination.

RequestHeader set X-Forwarded-Proto "https"

RequestHeader set X-Forwarded-Port "443"

Timeout for proxied requests.

Watch out: Raising timeout hides slow upstreams. Fix app latency when possible.

ProxyTimeout 60

Member of a mod_proxy_balancer upstream pool.

<Proxy "balancer://app">
    BalancerMember http://app1:8080
    BalancerMember http://app2:8080
</Proxy>
ProxyPass / balancer://app/

Enable TLS for this vhost.

SSLEngine on

Certificate file presented to clients. Let us Encrypt deployments normally use fullchain.pem.

Watch out: Using only the leaf cert can break clients that need the intermediate chain.

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

Private key matching the certificate.

SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

Limit protocol versions. Keep TLS 1.2 and 1.3 for modern public sites.

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Enable OCSP stapling when mod_ssl and the certificate chain support it.

SSLUseStapling on

SSLStaplingCache shmcb:/var/run/ocsp(128000)

Use HTTP Basic authentication for a directory or location.

AuthType Basic

Realm label shown in the browser login prompt.

AuthName "Restricted area"

Path to the password file generated by htpasswd.

Watch out: Keep the file outside DocumentRoot so users cannot download hashes.

AuthUserFile /etc/apache2/.htpasswd

Allow any authenticated user from the AuthUserFile.

Require valid-user

Allow only named authenticated users.

Require user alice bob

Group file for `Require group` rules.

AuthGroupFile /etc/apache2/.htgroups

Require group admins

Set a response header using mod_headers.

Header set Cache-Control "public, max-age=31536000"

Header set X-Content-Type-Options "nosniff"

Set a header even on error responses and redirects.

Watch out: Use HSTS only after HTTPS works for every host you serve.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Set a request header before Apache proxies to the upstream.

RequestHeader set X-Forwarded-Proto "https"

Set environment variables based on request metadata.

SetEnvIfNoCase User-Agent "bot" is_bot

CustomLog logs/access.log combined env=!is_bot

Map file extensions to MIME types.

AddType application/wasm .wasm

AddType image/svg+xml .svg

Compress selected response types with mod_deflate.

AddOutputFilterByType DEFLATE text/html text/plain text/css application/javascript

Enable mod_expires rules in the current scope.

ExpiresActive On

Set browser cache expiration by MIME type.

ExpiresByType text/css "access plus 1 month"

ExpiresByType image/png "access plus 1 year"

Let normal auth and rewrite phases run before mod_cache serves cached content.

CacheQuickHandler off

Disk path used by mod_cache_disk.

CacheRoot "/var/cache/apache2/mod_cache_disk"

Enable a cache provider for a URL path.

CacheEnable disk /assets/

CacheDisable /api/

Compression level for mod_deflate. Higher is not always better under CPU pressure.

DeflateCompressionLevel 6

Main error log path. Debug most config and permission issues here first.

ErrorLog ${APACHE_LOG_DIR}/error.log

ErrorLog /var/log/httpd/example-error.log

Access log path plus LogFormat name.

CustomLog ${APACHE_LOG_DIR}/access.log combined

Define a named access-log format.

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%v %h %>s %D \"%r\"" vhost_timing

Error log verbosity. Raise temporarily when debugging modules.

LogLevel warn

LogLevel rewrite:trace3 proxy:debug

Pipe logs through rotatelogs for time-based rotation.

CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access.%Y%m%d 86400" combined

Per-directory config file read at request time when AllowOverride permits it.

Watch out: It is slower and harder to audit than vhost config. Use only when needed.

# .htaccess
RewriteEngine On
RewriteRule ^old$ /new [R=301,L]

Allow every .htaccess override class.

Watch out: Avoid as a default. It expands attack surface and makes behavior depend on files outside vhost review.

AllowOverride FileInfo AuthConfig

# Avoid broad default:
AllowOverride All

Apply rules to files whose names match a regex.

<FilesMatch "\.inc$">
    Require all denied
</FilesMatch>

Map a handler to file extensions. Common on shared hosting, risky when misapplied.

AddHandler application/x-httpd-php .php

Disable HTTP TRACE.

TraceEnable Off

Hide server signature on generated error pages.

ServerSignature Off

Disable directory listing.

Options -Indexes

Allow only selected client IP ranges.

Require ip 10.0.0.0/8

Require ip 192.168.1.0/24

Apply authz rules to all methods except the listed ones.

<LimitExcept GET POST>
    Require all denied
</LimitExcept>

Disable file-based ETags when inode/path leakage or multi-node mismatch matters.

FileETag None

Check Directory `Require`, filesystem permissions, SELinux, and .htaccess overrides.

sudo tail -f /var/log/apache2/error.log

namei -l /var/www/site/index.html

Check the vhost selected by apachectl -S, DocumentRoot, Alias, and rewrite target.

sudo apachectl -S

curl -I http://example.com/path

Often a .htaccess syntax error, CGI/PHP handler issue, or module directive not allowed in that context.

tail -f /var/log/apache2/error.log

apachectl configtest

Apache reached proxy handling but the upstream refused, closed, or timed out.

curl -v http://127.0.0.1:3000/

LogLevel proxy:debug

Set a global ServerName to silence the startup warning.

ServerName localhost

echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/servername.conf

Port is already bound or Listen directives conflict.

sudo ss -ltnp | grep ":80"

sudo apachectl -S

Minimal HTTP vhost for static files.

<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/example/public
    <Directory "/var/www/example/public">
        Require all granted
        Options -Indexes +FollowSymLinks
        AllowOverride None
    </Directory>
</VirtualHost>

TLS vhost using Let us Encrypt paths.

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example/public
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

Apache fronting a local app server.

<VirtualHost *:80>
    ServerName app.example.com
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
</VirtualHost>

Canonical HTTPS redirect for shared hosting .htaccess.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Protect a directory with htpasswd users.

<Directory "/var/www/private">
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Directory>