There are tools that are extremely useful and once configured properly will last a long time with little or no maintenance required at all. Web servers are a common example of tools that come to my mind that can be a swiss-army knife and serve a lot of purposes.
Whether you choose Apache, Nginx or IIS, just to pick some of the most famous ones, it’s very important to know at least most of the features that they offer. So it’s very important to get familiar with at least one of them, reading the documentation and start experimenting a bit.
I will summarise that I chose to use apache mainly for the longevity and popularity if you work as a developer or system administrator digging deeper on this tool or simply starting to use it will give you more work opportunities because there are millions of websites which depend on it.
Table of Contents
Documentation
Let’s starts from the beginning: https://httpd.apache.org/docs/2.4/
Needless to say, that’s the starting point. You can’t avoid to read it and you can’t guess how to configure it properly.
I’ve picked some features that until a few years ago I didn’t properly understand or I simply didn’t spend enough time on it to see the overall potential benefits. I will list some of the ones that are most relevant and I will highlight some of my absolute favourite modules.
SSL/TLS Encryption
Configuring Apache as Reverse Proxy and doing the SSL termination is a common task, but starting with simply configuring the encryption is a good place to start.
The documentation is full of examples, but this tool will help you to generate it automatically (not just for apache): https://ssl-config.mozilla.org/
Some companies or organizations prefer to purchase their certificates for their websites, others find that the open CA of let’s encrypt is perfectly sufficient for their needs. So regardless of the certificate and the CA that you will choose, the SSL configuration is not hard.
CertBot
Let’s Encrypt CA has a protocol called ACME that verifies before provisioning and issuing a new certificate that you control that specific domain. One simple way to automate the provisioning of the certificate is using a tool called certbot , that will take care of the renewal of the certificate if properly configured. Digital Ocean has a good step-by-step installation guide for apache.
Reverse Proxy
Implementing a Reverse Proxy can be required by the design of your network or simply by your application, what you end up doing is protecting your precious services from the direct internet. So ideally a reverse proxy can be behind a firewall on a DMZ/Perimeter Network and isolated, so even if compromised the damage is limited.
https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
Load Balancer
If the concept of balancing the load is self-explanatory the number of problems that implementing a load balancer can solve is not so obvious. The stickiness configuration, the failover or simply the balance-manager functionality of taking one of the servers out for an update or a separate deployment with a small amount of the web traffic for a blue-green deployment is can be a game-changer in a lot of scenarios. https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html
LDAP
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html
WebDav
https://httpd.apache.org/docs/2.4/mod/mod_dav.html
Authorization and Authentication
https://httpd.apache.org/docs/current/howto/auth.html
Geo IP
Blacklisting or Whitelisting by IP is maybe not a feature that you are looking to deploy on day 1, but restricting the scope of your application by a defined number of countries of your audience is maybe extremely useful, or even redirecting the country to a different site for language or redirecting it to a different datacenter or region.
https://dev.maxmind.com/geoip/legacy/mod_geoip2/
Monitoring Apache
https://www.techrepublic.com/article/how-to-configure-monitor-and-manage-apache-with-apachegui/
Security and Hardening
Security is a moving target. The security fundamentals are identifying the risks and mitigate them whenever is possible. https://www.cvedetails.com/vulnerability-list/vendor_id-45/Apache.html