The Apache HTTP Server, commonly called Apache, is a free and open-source cross-platform web server software released under the terms of the Apache License 2.0. The document provides a cheat sheet of useful commands and configurations for Apache including listing virtual hosts and modules, rewriting URLs, authentication, log rotation, data privacy, and security mitigations.

1. ApacheCheatSheet
TheApacheHTTPServer,colloquiallycalledApache,isafreeandopen-source
cross-platformwebserversoftware,releasedunderthetermsofApacheLicense2.0.
bylam
󰅂Misc
ListVHostPrecedence
apache2ctl -S
Listactivemodules
apache2ctl -M
RewriteonFilePattern
RewriteCond %{REQUEST_F
ILENAME} (.*).(html|ht
m)$
RewriteonUserAgent
RewriteCond %{HTTP_USER
_AGENT} (iPhone|iPad)
Rewriteandaddenvironment
variabletorequest(for
examplepassalongremote
user)
RewriteRule .* - [E=PRO
XY_USER:%{LA-U:REMOTE_U
SER}]
Since2.0.49Apachehasan
exceptionhooktohandle
crashes.
EnableExceptionHook on
htaccessdoesn'twork:
AllowOverride All
environmentvariablesvia
.htaccess:
SetEnv VARNAME somevalu
e
󰅂Authentication
Skipauthenticationforcertain
URIs
Require expr %{REQUEST_
URI} =~ m#<some pattern
>#
󰅂LogRotation
PipeCustomLogtoascript:
LoadModule logio_modul
e modules/mod_logio.so
<IfModule mod_logio.c>
CustomLog "| so
me-script.sh" "%h %l %
u %t "%r" %>s %b "%
{Referer}i" "%{User-a
gent}i""
</IfModule>
DologrotationusingApaches
logrotatescript:
CustomLog "|/usr/local/
apache/bin/rotatelogs /
var/log/access_log 8640
0" common
Performlogrotationwith
cronolog:
CustomLog "|/usr/local/
sbin/cronolog /logs/%m-
%d-%Y-access.log" combi
ned
󰅂DataPrivacy
Alternativestoavoidtracking
usersbyIP:
CompletelyremoveIPs:
Replace%hinyou
LogFormatwith"-",this
ensuresalllogreading
toolscanstillparsethe
logs
Truncate/replacetheIPs
duringlogrotation.
UseapipedCustomLog
andreplacetheIPad-
hoc.HereisasimpleIPv4
onlyexamplewithsed
CustomLog"|$/bin/sed
's/^([^.].[^.].[^.].)[0-9][0-9]
(.*)$/1.02/'
>>logs/accesslog"
truncatedip
TruncatetheIPusing
rewriterules,by
extractingallbutthelast
octectoftheIPusing
RewriteCondregexand
savetheresultwiththe
lastoctectsetto0inan
envvariableina
RewriteRule,finallyuse
theenvvariableinthe
LogFormat
#Note:alsoneedsaIPv6
󰅂
Mitigatingsecurity
issues
HideServerName
ServerSignature Off
ServerTokens Prod
DisableSSLv2andSSLv3
SSLProtocol all -SSLv2
-SSLv3
DHdowngrade
openssl dhparam -out dh
params.pem 2048
󰏪
󰅢

2. CheatSheetMaker.com SimpleCheatSheet.com
patternRewriteCond%
{REMOTEADDR}
^(d+.d+.d+.)d+$
RewriteRule"^/.*""/$1"
[E=truncatedip:%1]
LogFormat"%
{ENV:truncatedip}%l%u
%t"%r"%>s%b…"
truncatedip
andloaditfromApache
config
SSLOpenSSLConfCmd DHPar
ameters "{path to dhpar
ams.pem}"
SaneCiphers
SSLCipherSuite
ECDHE-RSA-AES128-GCM-S
HA256:ECDHE-ECDSA-AES12
8-GCM-SHA256:ECDHE-RSA-
AES256-GCM-SHA384:ECDHE
-ECDSA-AES256-GCM-SHA38
4:DHE-RSA-AES128-GCM-SH
A256:DHE-DSS-AES128-GCM
-SHA256:kEDH+AESGCM:ECD
HE-RSA-AES128-SHA256:EC
DHE-ECDSA-AES128-SHA25
6:ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES256-SHA38
4:ECDHE-ECDSA-AES256-SH
A384:ECDHE-RSA-AES256-S
HA:ECDHE-ECDSA-AES256-S
HA:DHE-RSA-AES128-SHA25
6:DHE-RSA-AES128-SHA:DH
E-DSS-AES128-SHA256:DHE
-RSA-AES256-SHA256:DHE-
DSS-AES256-SHA:DHE-RSA-
AES256-SHA:AES128-GCM-S
HA256:AES256-GCM-SHA38
4:AES128-SHA256:AES256-
SHA256:AES128-SHA:AES25
6-SHA:AES:CAMELLIA:DES-
CBC3-SHA:!aNULL:!eNUL
L:!EXPORT:!DES:!RC4:!MD
5:!PSK:!aECDH:!EDH-DSS-
DES-CBC3-SHA:!EDH-RSA-D
ES-CBC3-SHA:!KRB5-DES-C
BC3-SHA
SSLHonorCipherOrder
on
󰏪
󰅢