The Apache HTTP Server (“httpd”) is the longest‑standing, most‑deployed open‑source web server. It emerged in 1995 as a collection of “a patchy” fixes to NCSA httpd and, by 1996, became the #1 server on the public internet. Today it is stewarded by the Apache Software Foundation and remains a reference implementation of modern HTTP standards – currently shipping in the 2.4.x branch (2.4.63, released 23 Jan 2025).

Note — Apache’s modular, portable design fostered the creation of sister projects such as Tomcat, Traffic Server, and the ubiquitous mod_* ecosystem.

2.1 Process Model

Apache is a preforking / threaded server: a single master (PID 1 in the service) spawns “worker” processes or threads according to the active MPM (Multi‑Processing Module). Each worker accepts a connection, parses the request headers, runs it through configured hooks (URI mapping, auth, filters), and writes the response back to the client before becoming idle again.

2.2 Hook Phases

1. DNS lookup (optional)
2. URI translation
3. Access control & authentication
4. Filtering (Input → Content‑GEN → Output)
5. Logging & connection cleanup

MPMs are drop‑in replacements that dictate how Apache binds TCP sockets and creates processes / threads. They are selected at build‑time (or as DSOs on some distributions) with --with‑mpm=event.

MPM	Model	Best Use Case	Notes
prefork	Process‑per‑request (1 proc = 1 connection)	Legacy, non‑thread‑safe libraries (e.g., PHP with unsafe extensions)	Higher RAM footprint, rock‑solid stability.
worker	Process pool, many threads	General‑purpose HTTP/1 workloads	Balances memory use versus concurrency.
event	Worker threads + listener threads (keep‑alives handled asynchronously)	High‑traffic sites, HTTP/2	Default on many Linux distros since 2.4; scales idle keep‑alive connections far better than worker.

4.1 Main Config Hierarchy

# /etc/httpd/conf/httpd.conf (on RHEL) or /etc/apache2/apache2.conf (on Debian)
# Modular snippets in conf.d/, sites‑available/, mods‑enabled/…
Include conf.modules.d/*.conf
IncludeOptional sites-enabled/*.conf
		

4.2 Key Directives

• ServerRoot – absolute path to runtime files
• Listen 80 – IP/port bindings
• <Directory> / <Location> – path/URL scope rules
• LoadModule – dynamically load DSOs
• Include – pull in extra config trees

Note — Directive order matters! Apache evaluates the most specific block first, then falls back to broader matches.

5.1 Security & TLS

mod_ssl integrates OpenSSL 3.x to provide TLS 1.3, OCSP Stapling, ALPN (HTTP/2 negotiation), and modern cipher‑suite selection.

5.2 URL Manipulation

mod_rewrite uses PCRE to translate or redirect incoming URIs. Common uses include SEO‑friendly slugs, HTTPS redirects, and reverse proxy routing via the [P] flag.

5.3 Proxy & Load Balancing

The composite mod_proxy family (mod_proxy_http, _ajp, _fcgi, _ws, _balancer) enables forward and reverse HTTP/S, AJP and FastCGI proxying, plus health‑checked, sticky load‑balancing.

6.1 Name‑Based vHosts

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example
</VirtualHost>
		

6.2 IP‑Based & SNI

TLS vhosts rely on SNI (Server Name Indication) so multiple certificates can co‑exist on one IPv4 address. Define one <VirtualHost *:443> per cert / domain, then reference the appropriate SSLCertificateFile.

• Run httpd as a low‑privilege Unix user (User apache / www‑data).
• Set file permissions: only root writes configs, workers are read‑only.
• Disable Indexes unless directory listing is intentional.
• Use mod_security (OWASP Core Rule Set) for WAF‑style filtering.
• Patch promptly — follow ASF advisories. Current branch 2.4.63 is a security release.

• MPM event + HTTP/2 (mod_http2) for multiplexed streams.
• Enable mod_deflate / mod_brotli for compression.
• Cache static assets with mod_cache + mod_cache_disk.
• Tune KeepAliveTimeout (≤ 5 s) and MaxRequestWorkers to avoid thread starvation.

ErrorLog       /var/log/httpd/error.log
LogLevel       warn
CustomLog      /var/log/httpd/access.log combined
		

Combine with mod_status at /server-status, aggregate to Prometheus via apache_exporter, or tail logs into the ELK / OpenSearch stack.

• OpenSSL 3.3.x baseline "safe curves" cipher presets.
• HTTP/2 h2c upgrade path now defaults to ALPN‑only to mitigate cross‑protocol attacks.
• New directive H2OutputBuffer for fine‑grained flow‑control.
• core: ServerSignature default off in hardened build profile.
• mod_proxy_balancer adds consistent hashing scheduler.

Note — See the official announcement for full change‑log and CVE matrix.

# Graceful restart (without dropping connections)
$ sudo apachectl graceful

# Runtime config test
$ sudo apachectl configtest

# View compiled‑in modules & MPM
$ httpd -M

# Systemd (modern Linux)
$ sudo systemctl reload httpd