Apache HTTP Server¶
What Is It?¶
Apache HTTPD is one of the most widely used web servers. It supports virtual hosting, reverse proxying, modular extensions (mod_ssl, mod_security, mod_proxy), and extensive logging. Configuration is split across multiple files for modularity.
Installation¶
dnf install httpd mod_ssl
Key Files and Directories¶
| Path | Purpose |
|---|---|
| /etc/httpd/conf/httpd.conf | Main configuration |
| /etc/httpd/conf.d/*.conf | Virtual host and module configs |
| /etc/httpd/conf.modules.d/ | Module loading |
| /var/log/httpd/ | Access and error logs |
| /var/www/html/ | Default document root |
Default Ports¶
| Port | Protocol | Purpose |
|---|---|---|
| 80 | TCP | HTTP — unencrypted web traffic |
| 443 | TCP | HTTPS — TLS-encrypted web traffic (requires mod_ssl) |
| 8080 | TCP | Common alternative HTTP port |
| 8443 | TCP | Common alternative HTTPS port |
Configuration¶
Apache uses a modular configuration approach. Instead of a single monolithic file, settings are distributed across multiple files and directories:
/etc/httpd/conf/httpd.conf— primary configuration (global settings)/etc/httpd/conf.d/*.conf— supplementary configs loaded automatically (virtual hosts, modules)/etc/httpd/conf.modules.d/*.conf— module loading directives
Files in conf.d/ are processed in alphabetical order. Later directives override earlier ones for the same scope. This means you can add functionality by dropping a new .conf file in the directory and remove it by renaming the extension (e.g. .conf.disabled).
Minimal Working Configuration¶
A basic name-based virtual host configuration (/etc/httpd/conf.d/www.example.conf):
<VirtualHost *:80>
ServerName example.sysadm.ee
DocumentRoot /var/www/html/example/public_html
LogLevel warn
ErrorLog /var/log/httpd/www-error.log
CustomLog /var/log/httpd/www-access.log combined
</VirtualHost>
A reverse proxy virtual host (/etc/httpd/conf.d/proxy.conf):
<VirtualHost *:80>
ServerName app.example.sysadm.ee
ErrorLog /var/log/httpd/proxy-error_log
CustomLog /var/log/httpd/proxy-access_log common
ProxyPreserveHost On
ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
</VirtualHost>
A WordPress virtual host follows the same pattern but points DocumentRoot at the WordPress installation directory (e.g. /var/www/html/wordpress).
Important Directives¶
ServerName- The fully-qualified domain name for this virtual host (e.g.
example.sysadm.ee). The web server uses this to match incoming requests to the correct virtual host based on theHostheader. DocumentRoot- The directory from which Apache serves files for this virtual host.
ErrorLog/CustomLog- Per-virtual-host log files. Keeping separate logs per site simplifies troubleshooting.
LogLevel- Verbosity of error logging. Values:
debug,info,notice,warn,error,crit,alert,emerg. Usedebugduring setup,warnin production. ProxyPass/ProxyPassReverse- Forward requests to a backend application server (reverse proxy).
ProxyPassReverserewrites response headers so redirects work correctly. ProxyPreserveHost On- Passes the original
Hostheader to the backend, so the application sees the real hostname. Include/IncludeOptional- Load additional configuration files.
IncludeOptionaldoes not error if no files match the pattern.
Common Commands¶
# Install Apache
sudo dnf install httpd mod_ssl
# Start and enable
systemctl start httpd
systemctl enable httpd
# Test configuration syntax
apachectl configtest
# Restart (interrupts connections)
systemctl restart httpd
# Graceful restart (no connection interruption)
apachectl graceful
# List loaded modules
httpd -M
# Check which virtual hosts are configured
httpd -S
Logging and Debugging¶
Standard logs in /var/log/httpd/:
access_log/<vhost>-access.log— all HTTP requests (client IP, method, path, status code, user agent)error_log/<vhost>-error.log— errors, warnings, and startup messages
Forensic logging (mod_log_forensic) provides detailed per-request logging including complete HTTP headers and unique request IDs:
# In httpd.conf:
LoadModule log_forensic_module modules/mod_log_forensic.so
# In virtual host:
ForensicLog /var/log/httpd/www-forensic.log
Forensic logs use pre-request (+) and post-request (-) entries with a unique ID, allowing you to identify incomplete requests.
PHP logs — when running PHP applications (e.g. WordPress), consolidate PHP-FPM logs to /var/log/httpd/ by editing the error_log directive in /etc/php-fpm.conf and /etc/php-fpm.d/www.conf.
Troubleshooting checklist:
apachectl configtest— check for syntax errorsjournalctl -u httpd— systemd journal- Virtual host error logs — application-specific errors
httpd -S— verify virtual host routingss -tulpn | grep :80— confirm Apache is listening
Security Considerations¶
- SELinux: Apache runs in a confined context. Use
setsebool -P httpd_can_network_connect=1to allow proxy connections. Usechcon -t httpd_sys_rw_content_ton directories requiring write access (e.g. WordPress uploads). - ModSecurity (WAF): Install
mod_securityto filter malicious requests. Use the OWASP Core Rule Set for broad protection. Custom rules go in/etc/httpd/modsecurity.d/local_rules/. - Disable unnecessary modules: Each loaded module increases attack surface. Only enable what you need.
- File permissions: Web content should be owned by
apache:apache. The web server should not have write access to its own document root unless explicitly required. - Firewall: Open port 80 (HTTP) and 443 (HTTPS) in both
firewalldand cloud security groups. - Virtual host isolation: Use separate log files, document roots, and configurations per site.
apachectl configtestbefore reload: Always validate configuration syntax before restarting to avoid downtime.
Further Reading¶
- Apache HTTP Server Documentation
- Apache Virtual Host Documentation
- Red Hat — Apache Configuration Guide
- ModSecurity Reference Manual
Related Documentation¶
- Concepts: HTTP, Virtual Hosting, Reverse Proxy
- SOPs: Web Server Management