Server Management
How to Install and Secure Apache with HTTPS
Apache HTTP Server is a mature, widely used web server. This guide installs it on Ubuntu 24.04, opens the firewall, suppresses the version signature, secures it with a free Let's Encrypt certificate and automatic renewal, and adds baseline security headers with an HTTP to HTTPS redirect.
Install Apache
Install from the Ubuntu repository and confirm the service is active.
sudo apt update sudo apt install -y apache2 sudo systemctl enable --now apache2 systemctl status apache2 --no-pager # verify it is active (running)
Open the Firewall for Web Traffic
Allow HTTP and HTTPS through UFW. Ensure SSH is already allowed first.
sudo ufw allow 'Apache Full' # opens both 80 (HTTP) and 443 (HTTPS) sudo ufw status
Create a Virtual Host
Define a virtual host for your site and enable it.
sudo nano /etc/apache2/sites-available/yourdomain.com.conf # add your <VirtualHost> with ServerName and DocumentRoot sudo a2ensite yourdomain.com.conf
Suppress the Version Signature
By default Apache reveals its version and OS in headers and error pages. Restrict that to the bare product name and disable the signature.
sudo nano /etc/apache2/conf-available/security.conf # Set: ServerTokens Prod # report only 'Apache', not the version or OS ServerSignature Off # remove the version line from generated error pages # Apply: sudo systemctl reload apache2
Enable Headers and Add Security Headers
Turn on mod_headers, then add baseline headers inside your virtual host to reduce clickjacking, MIME-sniffing, and referrer leakage.
sudo a2enmod headers # Inside your <VirtualHost> block in /etc/apache2/sites-available/yourdomain.com.conf : Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" Header always set Referrer-Policy "strict-origin-when-cross-origin"
Test, Then Issue a Free TLS Certificate
Validate the config, reload, then let certbot obtain a certificate and configure HTTPS plus an automatic HTTP to HTTPS redirect.
sudo apache2ctl configtest && sudo systemctl reload apache2 # never reload a broken config sudo apt install -y certbot python3-certbot-apache # --redirect adds the 301 from HTTP to HTTPS automatically sudo certbot --apache -d yourdomain.com -d www.yourdomain.com --redirect
Verify Automatic Renewal
Certbot installs a systemd timer to renew certificates before expiry. Confirm a dry run succeeds.
sudo certbot renew --dry-run # simulate a renewal end-to-end systemctl list-timers | grep certbot # confirm the renewal timer is scheduled
Apache is installed, firewalled, no longer advertising its version, and serving only HTTPS with security headers and a working auto-renewing certificate. Run apache2ctl configtest after every change and keep the package patched.