The Definitive 2500+ Word Guide: Installing and Configuring Apache Web Server on Ubuntu 20.04

As one of the most ubiquitous and battle-tested open source web servers, Apache powers over 30% of all websites. In this comprehensive 2500+ word guide, I‘ll share how to properly install, optimize, customize and secure Apache 2.4.x on Ubuntu 20.04 from the perspective of a full-stack developer and system administrator.

Whether you‘re looking to set up a simple personal site or mission-critical production infrastructure, this article aims to be a one-stop resource for experts and newcomers alike. Let‘s get started!

Installing Apache

The easiest way to install Apache on Ubuntu is via the apt package manager:

sudo apt update
sudo apt install apache2 

This ensures you get the latest stable packaged release of Apache and all required dependencies like OpenSSL.

Once installed, verify Apache is up and running with:

sudo systemctl status apache2

By default, Apache serves content from the /var/www/html document root directory on port 80. You should see the Ubuntu Apache placeholder page at:

http://your_server_ip

With Apache setup let‘s walk through some key configuration areas.

Initial Configuration (/etc/apache2/)

The main configuration file is located at /etc/apache2/apache2.conf which controls high-level settings like security policies, optimization levels and loading modules. By convention most Apache configuration is handled by smaller individual files under the main apache2 folder for clean organization:

Key Configuration File Locations:

• /etc/apache2/apache2.conf– Core HTTPD configuration
• /etc/apache2/ports.conf– Listen directives and port binding
• /etc/apache2/mods-available/ – Module loading directives
• /etc/apache2/sites-available/ – Virtual host declarations

Document Root Web Space:

• /var/www/html – Default public web folder to serve content

Key Apache Directories:

• /usr/sbin/apache2 – Main binary and related scripts
• /var/log/apache2 – Log file storage location
• /var/lib/apache2 – Module, configuration and lock data

Handy Apache Commands:

sudo systemctl restart apache2   # Restart service
sudo apache2ctl configtest      # Syntax check  
sudo apache2ctl graceful        # Graceful restart

Now that we understand Apache‘s basic directory structure, let‘s optimize our web servers performance.

Tuning Apache for Maximum Performance

There are several techniques we can use to significantly improve Apache‘s throughput, latency and efficiency.

Enable GZip Compression

Plain text formats like HTML, CSS, JS and JSON can be compressed to speed up transfer times. The mod_deflate module leverages efficient GZip compression:

sudo a2enmod deflate
sudo systemctl restart apache2

After testing, compression savings around 50-70% smaller payload sizes are common! For high-traffic sites this reduces bandwidth and latency dramatically.

Increase Max Clients

The default max clients Apache allows is typically between 150-250 concurrent connections. This is suitable for smaller deployments but may be too low for production workloads.

We can raise the Apache max client limit in the mpm_prefork module‘s configuration file:

sudo nano /etc/apache2/mods-available/mpm_prefork.conf  

# Adjust the MaxClients directive to 500+ as needed: 
MaxClients 500

Save changes, refresh config and monitor your server to ensure system resources can handle increased clients.

Enable HTTP/2 Support

HTTP/2 provides faster perceived page loads through more efficient multiplexed connections and request pipelining. We‘ll need mod_http2:

sudo a2enmod http2   

A global redirect from HTTP to HTTP/2 can be added in your apache2.conf to automatically upgrade clients:

Protocols h2 http/1.1

There are many more advanced tuning possible through custom modules like Varnish cache. But our lean, secure Apache server is now ready to host sites!

Setting Up Virtual Hosts

Virtual hosting allows consolidating multiple sites and applications onto a single Apache server. This works by matching requested server names to containerized virtual host configurations.

Let‘s set up our first virtual host "mycompany.com":

sudo mkdir /var/www/mycompany.com
sudo chown -R $USER:$USER /var/www/mycompany.com
sudo vi /etc/apache2/sites-available/mycompany.com.conf

We need to define our virtual host container matched to our domain – edit to fit your needs:

<VirtualHost *:80>
    ServerAdmin webmaster@mycompany.com
    ServerName mycompany.com
    ServerAlias www.mycompany.com  
    DocumentRoot /var/www/mycompany.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Enable the new config and test for syntax errors:

sudo a2ensite mycompany.com.conf
sudo apache2ctl configtest
sudo systemctl reload apache2

Repeat this process for any additional sites hosted on this server!

Hardening Apache Security

Since our web server is exposed to the internet, it‘s crucial we configure some security best practices:

Leverage HTTPS Everywhere

Encrypted HTTPS connections prevent sensitive user data like logins and financial info from being snooped on. The easiest way to enable HTTPS is using free signed certificates from Let‘sEncrypt certificate authority:

sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot  

sudo certbot --apache  

Answer the prompts to automatically configure SSL certificates matched to your site domains. Certbot will auto-renew expired certificates as well. HTTP requests will now be redirected to HTTPS by default.

Use Strong Ciphers and Protocols

We need to ensure old insecure TLS versions and encryption ciphers are disabled. Enforce strong settings in ssl.conf:

SSLProtocol TLSv1.2
SSLHonorCipherOrder on 
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

Session tickets, compression and insecure renegotiation should also be prohibited.

Mitigate POODLE and BEAST Attacks

Known TLS protocol vulnerabilities like POODLE and BEAST can be mitigated by prioritizing modern ciphers that support AEAD and forward secrecy:

SSLCompression off 
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

Enable HTTP Strict Transport Security

To prevent protocol downgrade attacks, ensure HTTP Strict Transport Security headers are active on all HTTPS sites:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

This enforces redirects from HTTP->HTTPS for 6 months (31536000 seconds).

Deploy a WAF

Web application firewalls like ModSecurity provide hardened protection against SQLi attacks, XSS, RFI and general malicious requests. Integrating ModSecurity greatly reduces vulnerability surface.

Securing Sensitive Data

Finally, any API keys, database credentials and sensitive application code should be stored outside the public web root in /etc/apache2. This minimizes exposure from misconfigurations. The default site enables sane security defaults we can build upon.

Following these best practices ensures your Apache server only serves encrypted, validated traffic to trusted clients. But security requires constant vigilance, so we need robust monitoring…

Monitoring Apache and Logging

Logging and monitoring key server metrics is crucial for diagnosing issues, identifying attack patterns and optimizing web application performance.

Access and Error Logging

Apache provides comprehensive real-time access and error logging of all HTTP requests/responses and runtime problems. These logs are tremendously useful for reviewing activity or errors:

Key Apache Log Files

• /var/log/apache2/access.log – All client requests
• /var/log/apache2/error.log – System runtime errors

Log formats can be customized using LogFormat directive, and piped to external scripts for further processing:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" custom
CustomLog "|/usr/bin/myscript" common

Interactive Statistics with Httpdtop

For interactive real-time visibility into Apache traffic, the httpdtop utility provides handy statistics like most popular pages, referrers, browsers, busiest IP‘s and overall bandwidth usage:

sudo apt install httpdtop
sudo httpdtop

Httpdtop gives real-time Apache statistics – image source: author

Log Processing with GoAccess

For automated aggregate log processing, GoAccess can parse and visualize valuable trends, metrics, ratios from historical access logs:

GoAccess generates interactive Apache report dashboard from logs – image source: author

Forward Metrics to Grafana

To build comprehensive historical performance dashboards of all system and application metrics, the Grafana stack provides unmatched analytics and visualization power:

Real-time Apache Grafana dashboard pulling Graphite metrics – image source: author

Logging offers tremendous value but requires some maintenance…

Log Retention and Rotation

Logs can accumulate quickly, so implementing retention policies prevents clogged disks:

# Rotate logs weekly, keeping 12 weeks history
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog "|/usr/bin/rotatelogs /var/log/apache2/access.log.%Y.%m.%d.gz 86400" common

Anything older than max policy should be deleted or archived offline.

Following these monitoring best practices gives deep visibility into your Apache infrastructure and workloads. But simplicity enables reliability…

Keeping Apache Lean and Reliable

Complexity breeds instability and brittleness over the long term. Where possible we want to minimize customizations and interdependencies:

Static Content Caching

Speed up sites by enabling caching of static assets like images, CSS and JS:

sudo a2enmod cache_disk 
CacheEnable disk /  
CacheRoot /var/cache/apache2/mod_cache_disk 

This caches rendered resources to local disk which avoids unnecessary PHP/DB load.

Limit Exposed Modules

Only enable Apache modules explicitly required by your applications like rewrites, proxy or headers. Every additional module increases potential vulnerabilities.

Prefer UNIX Sockets

Where possible use optimized local UNIX sockets for backend connectivity instead of TCP/IP:

ProxyPass /api unix:/run/myservice.sock|fcgi://localhost/   

This reduces networking overhead.

Automate Maintenance

Rebooting or updating frequently leads to mistakes or conflicts over time. Instead we can automate maintenance routines:

#!/bin/bash

# Nightly - Performs graceful restart, gets latest security updates
/usr/sbin/apache2ctl graceful 
/usr/bin/apt upgrade

# Weekly - Rotates logs, clears caches
/usr/bin/logrotate /etc/logrotate.conf
/usr/sbin/apache2ctl restart

Scheduled optimized scripts mitigate cruft and entropy over long-lived production systems.

There are always new ways to simplify and streamline Apache. Now let‘s ensure we can restore services in case of problems…

Backup and Restoration Procedures

Unplanned downtime is detrimental to web operations, so having quick restore procedures ready is key for business continuity.

Configuration Backup

Apache configuration changes frequently, so keeping backups ensures we can rollback problems:

#!/bin/bash 

# Daily configuration backup
tar -zcvf /backups/apache-$(date +%F).tar.gz /etc/apache2 

Storing off-host provides an additional layer of protection from catastrophic failures.

Content Replication

To protect against data loss, employing a multi-AZ replication strategy is recommended:

• Local backups to alternate disks
• Bidirectional Apache rsync to secondary standbys
• Cross-colo clustering with GlusterFS mounts

If budgets allow, utilizing managed DBaaS solutions like AWS RDS enables instant failover protection.

Maintenance Windows

All infrastructure changes should be first tested then rolled out within planned maintenance windows to minimize disruption. Apache‘s graceful restart allows new application versions to release while existing requests complete.

Coordinating updates during periods of lower traffic gives a buffer to rollback failed changes.

Automation = Resilience

Critical to any backup strategy is having automated procedures ready to re-provision resources consistently. Tools like Terraform and Packer can idempotently spin up immutable infrastructure:

Automated infrastructure promotes stability by removing reliance on specialized knowledge

This allows destroyed servers to bereplaced rapidly without relying on individual heroics. Practice makes perfect!

Final Thoughts

We‘ve covered a tremendous amount of territory on properly installing Apache, tuning for performance and security, as well as tooling for observability and reliability.

Apache remains a versatile, highly configurable workhorse proven across decades of production sites – from tiny brochure sites to Fortune 500 properties serving millions of customers. There are always new techniques and best practices, but I hope you‘ve found this comprehensive 2500+ word guide useful!

Let me know if you have any other questions when undertaking your Apache migration journeys. Now go crush it!