Apache VirtualHost Generator

Apache VirtualHost in depth: HTTPS, mod_rewrite, .htaccess, MPMs, and modules

An Apache <VirtualHost> block describes a single site served by the httpd process: which address and port it binds, the document root, log files, optional TLS settings, and per-directory permissions. A single Apache instance can serve hundreds of unrelated domains by name-based virtual hosting, switching context based on the request's Host header (or SNI on HTTPS). Despite the rise of nginx, Apache remains the most deployed web server on shared hosting and inside enterprises because of its module ecosystem and the per-directory flexibility of .htaccess.

This generator emits a minimal but production-shaped block; the sections below cover the syntax in detail, how to add HTTPS with Let's Encrypt, rewrite rules, the trade-offs of .htaccess, the three main MPMs (prefork/worker/event), useful modules, file conventions per distribution, and how Apache compares with nginx.

Basic syntax

<VirtualHost *:80>
  ServerName  example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com/public

  ErrorLog  ${APACHE_LOG_DIR}/example.com_error.log
  CustomLog ${APACHE_LOG_DIR}/example.com_access.log combined

  <Directory /var/www/example.com/public>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

ServerName is the canonical host; ServerAlias adds extra names. AllowOverride All lets per-directory .htaccess files override settings; restrict it to specific directives in production for performance. Require all granted is the Apache 2.4 replacement for the older Order allow,deny / Allow from all.

HTTPS with Let's Encrypt

<VirtualHost *:443>
  ServerName example.com
  DocumentRoot /var/www/example.com/public

  SSLEngine on
  SSLCertificateFile    /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLProtocol -all +TLSv1.2 +TLSv1.3

  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>

Run sudo certbot --apache -d example.com -d www.example.com to provision the certificate; certbot will edit the VirtualHost and install a renewal timer.

mod_rewrite: force HTTPS and pretty URLs

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Front controller (PHP frameworks)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]

[L] stops processing further rules in the same pass; [R=301] issues a permanent redirect. Test rewrites against the staging server because mistakes can produce infinite loops that mod_rewrite eventually breaks with a 500.

.htaccess vs central config

.htaccess files apply directives per directory and are read on every request by every parent directory up to DocumentRoot. They are convenient on shared hosting where the user cannot edit the main config, but they cost performance: each filesystem walk costs a stat syscall. In your own server you should set AllowOverride None globally and inline the rules inside <Directory> in the main config. The directives accepted depend on the AllowOverride classes: AuthConfig, FileInfo, Indexes, Limit, Options.

MPMs: prefork, worker, event

• prefork — one process per request, no threads. Required by the legacy mod_php because PHP is not thread-safe. Slowest and heaviest on memory.
• worker — multi-threaded, fewer processes. Roughly 2-4x more concurrent connections per GB of RAM than prefork.
• event — default since 2.4; same as worker plus dedicated threads for idle keep-alive connections. The best choice unless a specific module forces prefork.

For PHP, run php-fpm through mod_proxy_fcgi instead of mod_php — you get the event MPM and the same isolation as nginx + PHP-FPM.

Useful modules

• mod_rewrite — URL rewriting and conditional redirects.
• mod_ssl — TLS termination.
• mod_headers — set, append, or remove response headers (HSTS, CSP, CORS).
• mod_proxy, mod_proxy_http, mod_proxy_balancer — reverse proxy and load balancing.
• mod_security — Web Application Firewall (WAF) with the OWASP Core Rule Set.
• mod_status, mod_cache, mod_deflate — observability, response caching, and gzip compression.

File layout and reload

On Debian and Ubuntu, place each VirtualHost in /etc/apache2/sites-available/<name>.conf and enable it with sudo a2ensite <name> (which creates a symlink in sites-enabled). On RHEL, Fedora, and Alpine, files live directly in /etc/httpd/conf.d/. Always test before reloading:

sudo apachectl configtest          # equivalent to apache2ctl -t
sudo systemctl reload apache2      # Debian/Ubuntu
sudo systemctl reload httpd        # RHEL/Fedora

FAQ

Does .htaccess hurt performance? Yes — every request triggers a per-directory lookup. Disable it in production with AllowOverride None on the main DocumentRoot; on shared hosting where you cannot edit the main config, keep it.

How do I get HTTPS quickly? Apache 2.4 plus Let's Encrypt: sudo apt install certbot python3-certbot-apache then sudo certbot --apache. It edits the VirtualHost and installs a 90-day cert with automatic renewal.

Does Apache support HTTP/2? Yes, since 2.4.17 via mod_http2. Add Protocols h2 http/1.1 to the HTTPS VirtualHost. HTTP/3 (QUIC) is still experimental as of 2.4.x — most teams put nginx or a CDN in front for QUIC.

Apache vs nginx? Apache excels at per-directory configurability and module richness (especially mod_security for WAF). nginx wins on raw concurrency and static-file throughput. A hybrid where nginx terminates TLS and proxies to Apache is common.

My VirtualHost is ignored — why? The first block in the first config file is the implicit default. Make sure Listen 80 matches the *:80 in your block, that NameVirtualHost is not duplicating the directive (legacy, removed in 2.4), and that ServerName matches the Host header you are sending.