Apache Is A Swiss Army Knife

There are tools that are extremely useful and once configured properly will last a long time with little or no maintenance required at all. Web servers are a common example of tools that come to my mind that can be a swiss-army knife and serve a lot of purposes.

Whether you choose Apache, Nginx or IIS, just to pick some of the most famous ones, it’s very important to know at least most of the features that they offer. So it’s very important to get familiar with at least one of them, reading the documentation and start experimenting a bit.

I will summarise that I chose to use apache mainly for the longevity and popularity if you work as a developer or system administrator digging deeper on this tool or simply starting to use it will give you more work opportunities because there are millions of websites which depend on it.

Documentation

Let’s starts from the beginning: https://httpd.apache.org/docs/2.4/ 
Needless to say, that’s the starting point. You can’t avoid to read it and you can’t guess how to configure it properly.

I’ve picked some features that until a few years ago I didn’t properly understand or I simply didn’t spend enough time on it to see the overall potential benefits. I will list some of the ones that are most relevant and I will highlight some of my absolute favourite modules.

SSL/TLS Encryption

Configuring Apache as Reverse Proxy and doing the SSL termination is a common task, but starting with simply configuring the encryption is a good place to start.

The documentation is full of examples, but this tool will help you to generate it automatically (not just for apache):  https://ssl-config.mozilla.org/

Some companies or organizations prefer to purchase their certificates for their websites, others find that the open CA of let’s encrypt is perfectly sufficient for their needs. So regardless of the certificate and the CA that you will choose, the SSL configuration is not hard.

CertBot

Let’s Encrypt CA has a protocol called ACME that verifies before provisioning and issuing a new certificate that you control that specific domain. One simple way to automate the provisioning of the certificate is using a tool called certbot , that will take care of the renewal of the certificate if properly configured. Digital Ocean has a good  step-by-step installation guide for apache.

Reverse Proxy

Implementing a Reverse Proxy can be required by the design of your network or simply by your application, what you end up doing is protecting your precious services from the direct internet. So ideally a reverse proxy can be behind a firewall on a DMZ/Perimeter Network and isolated, so even if compromised the damage is limited.
https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html

Load Balancer

If the concept of balancing the load is self-explanatory the number of problems that implementing a load balancer can solve is not so obvious. The stickiness configuration, the failover or simply the balance-manager functionality of taking one of the servers out for an update or a separate deployment with a small amount of the web traffic for a blue-green deployment is can be a game-changer in a lot of scenarios. https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html

LDAP

https://httpd.apache.org/docs/2.4/mod/mod_ldap.html

WebDav

https://httpd.apache.org/docs/2.4/mod/mod_dav.html

Authorization and Authentication

https://httpd.apache.org/docs/current/howto/auth.html

Geo IP

Blacklisting or Whitelisting by IP is maybe not a feature that you are looking to deploy on day 1, but restricting the scope of your application by a defined number of countries of your audience is maybe extremely useful, or even redirecting the country to a different site for language or redirecting it to a different datacenter or region.

https://dev.maxmind.com/geoip/legacy/mod_geoip2/

Monitoring Apache

https://www.techrepublic.com/article/how-to-configure-monitor-and-manage-apache-with-apachegui/

How to Monitor Apache Web Server Load and Page Statistics

Security and Hardening

Security is a moving target. The security fundamentals are identifying the risks and mitigate them whenever is possible. https://www.cvedetails.com/vulnerability-list/vendor_id-45/Apache.html

Apache Security Hardening Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.