Apache is one of the most widely used web servers, and its real power comes from its modular design.
Below is a practical, example-based guide to Apache modules that are useful in real-world web development.
How to Enable/Disable Modules
# Enable a module
sudo a2enmod module_name
# Disable a module
sudo a2dismod module_name
# Restart Apache
sudo systemctl restart apache2
mod_rewrite - URL Routing & Clean URLs
ServerName example.com
RewriteEngine On
RewriteRule ^user/([0-9]+)/?$ /profile.php?id=$1 [L,QSA]
Used for clean URLs, routing logic, SEO-friendly paths, and framework rewrites.
mod_ssl - HTTPS Support
ServerName example.com
SSLEngine On
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example.key
Enables TLS/SSL so the site can run securely over HTTPS.
mod_headers - Security & Cache Headers
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "no-referrer"
Allows setting and modifying HTTP response headers for security and performance.
mod_expires - Browser Cache Control
ExpiresActive On
ExpiresByType text/css "access plus 7 days"
ExpiresByType image/png "access plus 1 year"
ExpiresDefault "access plus 1 hour"
Adds automatic expiration headers so browsers can cache static files.
mod_proxy and mod_proxy_http - Reverse Proxy to Apps
ServerName api.example.com
ProxyPass / http://127.0.0.1:4000/
ProxyPassReverse / http://127.0.0.1:4000/
Forwards requests to backend services like Node, Python, Docker, or another server.
mod_security - Web Application Firewall
SecRuleEngine On
Include /usr/share/modsecurity-crs/*.conf
Blocks common attacks such as SQL injection, XSS, and RCE using rule sets.
mod_status - Live Server Status Page
SetHandler server-status
Require ip 127.0.0.1
Displays live Apache metrics: active connections, workers, load, uptime.
mod_auth_basic and mod_authn_file - Simple Password Protection
AuthType Basic
AuthName "Restricted"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Adds quick HTTP basic authentication without touching application code.
mod_evasive - Auto-Blocking for DDoS / Brute Force
DOSHashTableSize 2048
DOSPageCount 5
DOSPageInterval 1
DOSBlockingPeriod 30
DOSEmailNotify admin@example.com
Detects repeated requests and temporarily blocks abusive traffic automatically.
Additional Useful Modules
mod_deflate or mod_brotli - Response Compression
AddOutputFilterByType DEFLATE text/html text/css application/json
BrotliCompressionQuality 6
AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript
Compresses responses to reduce bandwidth and speed up page loads.
mod_pagespeed - Auto Performance Optimizer
ModPagespeed on
ModPagespeedEnableFilters rewrite_css,sprite_images,collapse_whitespace
Automatically optimizes assets: minifies, inlines, rewrites, lazyloads, etc.
mod_geoip / mod_maxminddb - Geo-Based Rules
MaxMindDBFile COUNTRY_DB /usr/share/GeoIP/GeoLite2-Country.mmdb
MaxMindDBEnv GEOIP_COUNTRY_CODE COUNTRY_DB/country/iso_code
Require all granted
Require not env GEOIP_COUNTRY_CODE=CN
Allows country-based routing, blocking, redirects, or localization.
Summary
More...
Below is a practical, example-based guide to Apache modules that are useful in real-world web development.
How to Enable/Disable Modules
# Enable a module
sudo a2enmod module_name
# Disable a module
sudo a2dismod module_name
# Restart Apache
sudo systemctl restart apache2
mod_rewrite - URL Routing & Clean URLs
ServerName example.com
RewriteEngine On
RewriteRule ^user/([0-9]+)/?$ /profile.php?id=$1 [L,QSA]
Used for clean URLs, routing logic, SEO-friendly paths, and framework rewrites.
mod_ssl - HTTPS Support
ServerName example.com
SSLEngine On
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example.key
Enables TLS/SSL so the site can run securely over HTTPS.
mod_headers - Security & Cache Headers
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "no-referrer"
Allows setting and modifying HTTP response headers for security and performance.
mod_expires - Browser Cache Control
ExpiresActive On
ExpiresByType text/css "access plus 7 days"
ExpiresByType image/png "access plus 1 year"
ExpiresDefault "access plus 1 hour"
Adds automatic expiration headers so browsers can cache static files.
mod_proxy and mod_proxy_http - Reverse Proxy to Apps
ServerName api.example.com
ProxyPass / http://127.0.0.1:4000/
ProxyPassReverse / http://127.0.0.1:4000/
Forwards requests to backend services like Node, Python, Docker, or another server.
mod_security - Web Application Firewall
SecRuleEngine On
Include /usr/share/modsecurity-crs/*.conf
Blocks common attacks such as SQL injection, XSS, and RCE using rule sets.
mod_status - Live Server Status Page
SetHandler server-status
Require ip 127.0.0.1
Displays live Apache metrics: active connections, workers, load, uptime.
mod_auth_basic and mod_authn_file - Simple Password Protection
AuthType Basic
AuthName "Restricted"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Adds quick HTTP basic authentication without touching application code.
mod_evasive - Auto-Blocking for DDoS / Brute Force
DOSHashTableSize 2048
DOSPageCount 5
DOSPageInterval 1
DOSBlockingPeriod 30
DOSEmailNotify admin@example.com
Detects repeated requests and temporarily blocks abusive traffic automatically.
Additional Useful Modules
mod_deflate or mod_brotli - Response Compression
AddOutputFilterByType DEFLATE text/html text/css application/json
BrotliCompressionQuality 6
AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript
Compresses responses to reduce bandwidth and speed up page loads.
mod_pagespeed - Auto Performance Optimizer
ModPagespeed on
ModPagespeedEnableFilters rewrite_css,sprite_images,collapse_whitespace
Automatically optimizes assets: minifies, inlines, rewrites, lazyloads, etc.
mod_geoip / mod_maxminddb - Geo-Based Rules
MaxMindDBFile COUNTRY_DB /usr/share/GeoIP/GeoLite2-Country.mmdb
MaxMindDBEnv GEOIP_COUNTRY_CODE COUNTRY_DB/country/iso_code
Require all granted
Require not env GEOIP_COUNTRY_CODE=CN
Allows country-based routing, blocking, redirects, or localization.
Summary
| mod_rewrite | URL routing, clean URLs, SEO-friendly rewrites |
| mod_ssl | Enables HTTPS/TLS encryption |
| mod_headers | Sets custom security and cache headers |
| mod_expires | Controls browser caching for static files |
| mod_proxy | Reverse proxy to backend apps/services |
| mod_security | Web Application Firewall (WAF) |
| mod_status | Live server metrics/status page |
| mod_auth_basic | Simple HTTP basic authentication |
| mod_evasive | Auto-blocking for DDoS / brute force requests |
| mod_deflate / brotli | Response compression for faster load times |
| mod_pagespeed | Automatic asset optimization (minify, inline etc.) |
| mod_geoip / maxminddb | Geo-based routing, blocking, or localization |
More...