List of Apache modules

The List of Apache modules encompasses the standardized collection of loadable extensions available for the Apache HTTP Server, an open-source web server software that extends its core capabilities through modular architecture to handle diverse functionalities such as authentication, caching, proxying, content negotiation, and resource management.^[1] In the official Apache HTTP Server version 2.4 distribution, there are 108 such modules, which are dynamically loadable via the mod_so module and organized into core features, multi-processing modules (MPMs) for server process management, and an alphabetical listing of additional specialized components.^[1] These modules form the backbone of Apache's extensibility, allowing administrators to customize the server for specific needs without altering the core codebase; for instance, the core module provides essential server directives and features that are always active, while MPMs like prefork (a non-threaded, pre-forking model for handling requests) and worker (a hybrid multi-threaded, multi-process approach) determine how the server manages concurrent connections and resources.^[2][3][4] Other notable modules include mod_proxy for reverse proxy and gateway capabilities, mod_ssl for secure communications via SSL/TLS, and mod_rewrite for URL manipulation and redirection rules.^[1] Beyond the core distribution, the Apache HTTP Server Project maintains a smaller set of supplementary modules not included by default, such as mod_fcgid for efficient FastCGI handling to improve dynamic content performance (e.g., PHP scripting) and experimental ones like mod_ftp for FTP protocol support, though many remain in beta or unreleased states and require separate compilation or installation.^[5] Third-party modules, developed by the broader community, further expand possibilities but are not officially cataloged by Apache, often discoverable through repositories like GitHub.^[5] This modular design has been pivotal to Apache's widespread adoption since its inception, enabling it to serve as a flexible foundation for web hosting, content delivery, and enterprise applications.

Official Modules

Core Features and Multi-Processing Modules

The core module in the Apache HTTP Server provides the foundational features that are always enabled, handling essential server configuration, request processing, and basic operational directives. It manages listener sockets for incoming connections, routes requests to appropriate handlers, and enforces core directives such as ServerRoot, which specifies the base directory for server files like configuration and logs (default: /usr/local/apache2), and Listen, which defines the IP addresses and ports on which the server accepts requests (default: port 80 on all interfaces).^[6] Additional key directives include DocumentRoot for the primary directory serving web content and ErrorLog for recording server errors, ensuring reliable initialization and runtime behavior across all Apache installations.^[6] Multi-Processing Modules (MPMs) extend the core module by implementing the server's process and thread management, introduced in Apache 2.0 to enhance modularity and platform adaptability.^[7] These modules bind to network ports, accept requests, and dispatch them to child processes or threads, with only one MPM (excluding the core) loadable at a time to prevent conflicts; attempting multiple results in a startup failure.^[7] The mpm_common module supplies shared directives across MPMs, such as MaxRequestWorkers, which caps the total number of simultaneous requests (default varies by MPM, e.g., 256 for prefork), and ServerLimit, which sets the maximum number of server processes (up to 20,000 for some MPMs, influencing memory allocation and scalability).^[8] The Event MPM employs an asynchronous, event-based model optimized for high concurrency, particularly with keep-alive connections, by dedicating listener threads to monitor idle sockets while worker threads handle active requests.^[9] It leverages platform-specific polling mechanisms like epoll on Linux for efficiency, inheriting directives from the Worker MPM but adding AsyncRequestWorkerFactor to tune concurrent connections per process (default: 2), making it suitable for modern, high-traffic environments.^[9] The MPM Netware is tailored for the Novell NetWare operating system, using a process-based model with thread support to manage requests in a lightweight, platform-optimized manner.^[7] It shares common MPM directives like MaxRequestWorkers and focuses on NetWare's native threading for efficient resource handling on that legacy platform.^[8] The MPMT OS/2 implements a threaded processing model specifically for the OS/2 operating system, enabling multiple threads within processes to serve requests while adhering to OS/2's threading constraints.^[7] It utilizes shared directives such as ServerLimit to control process scaling, providing compatibility and performance on this specialized environment.^[8] The Prefork MPM, the default for Unix-like systems without threading support, creates a dedicated process for each incoming connection, mimicking the Apache 1.3 model for stability in non-thread-safe module environments.^[7] It relies on directives like MaxRequestWorkers to limit concurrent processes, prioritizing isolation over resource efficiency to avoid thread-related crashes.^[8] The MPM WinNT, default on Windows, adopts a threaded model integrated with the operating system's I/O completion ports for asynchronous network operations, allowing efficient handling of multiple connections per process.^[7] Key directives include MaxRequestWorkers to bound thread usage, optimizing for Windows' native networking stack without requiring external libraries.^[8] The Worker MPM offers a hybrid approach for Unix systems with threading, spawning multiple child processes each with a fixed number of threads to balance scalability and stability.^[7] It uses directives like ThreadsPerChild (default: 25) alongside MaxRequestWorkers to manage overall capacity, providing better performance than prefork for threaded applications while conserving resources compared to pure process models.^[8]

Authentication and Authorization Modules

Authentication and authorization modules in the Apache HTTP Server enable the verification of user identities and the enforcement of access rules based on credentials, hosts, or other criteria, forming a critical layer for securing web resources after initial request processing by core modules. These modules operate within a modular, provider-based framework introduced in Apache 2.4, which separates authentication (verifying who the user is) from authorization (determining what the user can access), allowing flexible combinations of providers for different needs. This architecture replaced the more rigid approach of Apache 2.2, where authentication and authorization were tightly coupled, leading to the deprecation of several legacy directives and modules.^[10][11] Core authentication and authorization logic is provided by mod_authn_core and mod_authz_core, which select providers and evaluate access rules using directives like <RequireAll>, <RequireAny>, and <RequireNone> for complex conditions. These modules must be loaded for the system to function, handling the foundational directives that integrate with other providers. Authentication providers verify credentials against various backends, such as files or databases, while authorization modules apply rules post-authentication. For performance, mod_authn_socache caches successful authentication results in shared memory or other backends, reducing repeated lookups for providers like database or LDAP, with configurable timeouts and contexts to balance security and efficiency.^[12][13][14] Basic and digest authentication methods are implemented by mod_auth_basic and mod_auth_digest, respectively. mod_auth_basic uses HTTP Basic authentication, prompting users for a username and password that are base64-encoded and sent with each request, typically verified against flat files created with htpasswd; it requires SSL/TLS for security due to the lack of encryption. In contrast, mod_auth_digest employs HTTP Digest authentication per RFC 2617, hashing credentials to avoid plaintext transmission, though it still benefits from encryption and uses htdigest for password files. For anonymous access, mod_authn_anon allows unauthenticated users to log in with predefined IDs like "anonymous" and an email as a password, enabling tracking without full credentials, often paired with Basic authentication.^[15][16][17] File-based authentication is handled by mod_authn_file, which authenticates users against plaintext password files containing usernames and hashed passwords, suitable for small-scale setups but inefficient for large user bases due to sequential reads; files must be stored outside the document root for security. mod_authn_dbm extends this to DBM databases for faster lookups in high-volume environments, supporting types like SDBM or GDBM. Database-driven options include mod_authn_dbd, which queries SQL databases via mod_dbd for user validation, and mod_authz_dbd for group-based authorization, using SQL statements to check memberships or update login states.^[18][19][20] For modern web applications, mod_auth_form, introduced in Apache 2.3, supports form-based login with customizable HTML pages, session storage via mod_session, and redirects for failed attempts or logout, integrating with providers like mod_authn_file for credential checks. External integrations are facilitated by mod_authnz_fcgi, available since 2.4.10, which delegates authentication and authorization to FastCGI applications for custom logic, and mod_authnz_ldap, which authenticates and authorizes against LDAP directories using URLs and group queries.^[21][22] Authorization modules focus on post-authentication controls. mod_authz_host restricts access by IP address, hostname, or environment variables using Require ip or Require host, serving as the primary replacement for legacy access controls in 2.4. mod_authz_user allows or denies based on specific usernames with Require user or grants to any valid user via Require valid-user. Group-based rules are provided by mod_authz_groupfile, using plaintext files formatted as group: user1 user2 with Require group, and mod_authz_dbm for DBM equivalents with Require dbm-group. mod_authz_owner checks if the authenticated user matches the file's owner or group via the filesystem, useful for user-specific directories.^{[23][24][25][26][27]} To support upgrades from Apache 2.2, mod_access_compat provides backward compatibility for deprecated directives like Order, Allow, and Deny, though mixing with new Require syntax is not recommended, encouraging migration to 2.4's unified providers for better modularity and expressiveness.^[28][11]

Caching Modules

Caching modules in the Apache HTTP Server enable the storage and retrieval of frequently accessed content to reduce server load and improve response times for clients. These modules implement HTTP caching semantics as defined in RFC 2616, allowing servers to cache responses from local handlers or proxies based on headers such as Cache-Control, Expires, and Vary. By honoring these headers, the modules ensure compliance with web standards while providing configurable options for cache control.^[29] The core module, mod_cache, serves as the foundational HTTP caching filter introduced in Apache HTTP Server version 2.2. It acts as a content cache keyed to URIs, supporting the caching of both local and proxied responses, including those with content negotiation via the Vary header. Key directives include CacheRoot, which specifies the root directory for cache storage, and CacheDisable, which allows administrators to exclude specific URLs from caching to prevent unintended storage of sensitive or dynamic content. mod_cache processes standard HTTP caching directives like Cache-Control to determine cacheability, freshness, and validation rules, enabling conditional requests that minimize unnecessary data transfers. For persistent storage, mod_cache_disk provides a disk-based backend for mod_cache, available since Apache 2.2 as the successor to the earlier mod_disk_cache. It stores response headers and bodies separately in a hierarchical directory structure under the CacheRoot path, using an MD5 hash of the request URL for organization.^[30] This module supports caching of full responses but not partial content, with configurable limits such as CacheMaxFileSize (default 1,000,000 bytes) to manage disk usage and performance.^[30] Administrators can use the htcacheclean utility alongside it to periodically prune the cache and maintain storage efficiency. In contrast, mod_cache_socache offers an in-memory shared object caching provider, introduced in Apache HTTP Server version 2.4.5 to enable faster access times compared to disk-based alternatives. It stores headers and bodies under a single key derived from the URL in a shared memory segment, supporting multiple content-negotiated variants and integrating with socache providers like shmcb for multi-process environments. This module is particularly suited for high-throughput scenarios where low-latency retrieval is critical, though it may be combined with mod_cache_disk for handling larger responses that exceed memory limits. These caching modules can be used alongside compression modules to store and serve pre-compressed cached content, further optimizing bandwidth usage.^[29]

CGI and Execution Modules

The CGI and Execution Modules in the Apache HTTP Server facilitate the generation of dynamic web content by executing external scripts and programs in response to client requests. These modules support the Common Gateway Interface (CGI), a standard protocol introduced in 1993 that allows web servers to interface with external applications for processing HTTP requests and producing dynamic outputs.^[31] By invoking scripts as separate processes or through optimized daemons, they enable server-side execution of code in languages like Perl, Python, or shell scripts, distinguishing them from static content delivery by providing real-time, request-specific responses. mod_actions allows the Apache server to map specific media types or HTTP request methods to external CGI scripts or handlers, enabling conditional execution based on content characteristics. For instance, it uses the Action directive to associate a URL path or file extension with a script, such as routing all .pdf requests to a processing program for dynamic generation or modification. This module is particularly useful for extending server behavior without embedding logic directly into Apache, supporting actions like form handling or content transformation triggered by MIME types.^[32] mod_cgi implements the core CGI functionality by treating files with the cgi-script handler as executable scripts, spawning a new process for each invocation to run the script and return its output directly to the client. It passes request data, such as environment variables including query strings and headers, to the script via standard input and environment, adhering to CGI/1.1 specifications for interoperability. This process-based model ensures isolation but can introduce overhead in high-concurrency environments, making it suitable for traditional prefork multi-processing modules (MPMs).^[33][31] mod_cgid, introduced in Apache HTTP Server 2.0, serves as an optimized alternative to mod_cgi for threaded MPMs like worker or event, by employing an external daemon process to manage CGI executions and minimize forking costs. The daemon (cgid) handles script invocations in a persistent manner, reducing the overhead of creating new processes per request in multi-threaded configurations, while maintaining compatibility with CGI standards. This design improves efficiency for environments with frequent CGI calls, such as on Unix-like systems supporting threading, without altering the script execution semantics.^[34][35]

Compression Modules

Compression modules in Apache HTTP Server enable the reduction of response sizes by applying lossless compression algorithms to outgoing data, thereby decreasing bandwidth usage and improving transfer speeds over the network. These modules operate as output filters, processing content after it has been generated by the server but before transmission to the client, ensuring compatibility with browsers that support specified content encodings such as gzip, deflate, or br. By dynamically compressing text-based resources like HTML, CSS, and JavaScript, they can significantly lower payload sizes without altering the original data integrity.^[36] The mod_deflate module, introduced in Apache HTTP Server 2.0, implements the DEFLATE compression algorithm using the zlib library to compress server output on the fly. It supports both gzip and deflate content encodings, allowing the server to negotiate with clients via the Accept-Encoding header and respond with compressed variants when supported, while adding the appropriate Vary: Accept-Encoding header to enable proper caching. Configuration directives like DeflateCompressionLevel (ranging from 1 for fastest to 9 for best compression) and AddOutputFilterByType control the compression behavior, targeting specific MIME types such as text/html and application/javascript for optimal bandwidth savings. This module has been a core component for performance optimization since its debut, often reducing response sizes by 60-80% for compressible content.^[34][37] Introduced in Apache HTTP Server version 2.4.26 (released June 19, 2017), the mod_brotli module provides support for the Brotli compression algorithm, developed by Google for superior efficiency in web content compression. It applies the BROTLI_COMPRESS output filter to eligible responses, producing content with the br encoding that clients decompress transparently. The BrotliCompressionQuality directive sets the compression level from 0 (least compression, fastest) to 11 (best compression, slowest), balancing CPU overhead with file size reduction. Brotli generally achieves 20-26% better compression ratios than gzip for typical web assets like HTML and CSS, making it particularly effective for static and dynamic content delivery. When both mod_brotli and mod_deflate are enabled, Apache prioritizes Brotli if the client requests it, enhancing overall site performance.^[38][39]

Content Handling Modules

Content handling modules in the Apache HTTP Server facilitate the processing and delivery of static and semi-dynamic content by applying modifications to file serving, headers, encoding, and structure, ensuring compatibility with client requirements and optimizing presentation without executing dynamic scripts. These modules handle tasks such as directory indexing, MIME type associations, content negotiation, and filter applications, which prepare responses before they are compressed or proxied. By integrating seamlessly with the server's core, they enhance the efficiency of content delivery for web applications and static sites.^[1] The mod_asis module serves files exactly as they are stored on the server, including any HTTP headers embedded directly within the files themselves, which allows content providers to specify custom headers without additional server processing. This is particularly useful for simple, unaltered delivery of pre-formatted content like status pages or test files. Its primary directive, AsisMatch, controls which files are handled this way based on regular expressions.^[40] mod_autoindex automatically generates directory listings when no default index file is present, mimicking the output of Unix ls or Windows dir commands, and supports customizable formats such as HTML tables or plain text. Key directives like IndexOptions allow configuration of display elements, including icons, descriptions, and sorting, while IndexIgnore excludes specific files from listings to maintain security and cleanliness. This module is essential for enabling browsable file systems in development or public directories.^[41] mod_charset_lite performs character set translation or recoding on outgoing content, enabling the server to convert text from one encoding to another, such as from ISO-8859-1 to UTF-8, to match client expectations. It uses directives like CharsetSourceEnc to specify the input encoding and CharsetDefault for fallback conversions, supporting a range of character sets defined in configuration. This ensures proper rendering of internationalized content across diverse client environments.^[42] For testing and development, mod_data treats in-memory data as a content source, converting response bodies into RFC 2397 data URLs, which embed small amounts of data directly in the response without file I/O. The Data directive specifies the data and media type, making it ideal for generating inline images or scripts in responses. Its lightweight nature avoids filesystem dependencies, streamlining prototyping workflows.^[43] mod_dir manages directory access by appending trailing slashes to requests for directories and serving default index files like index.html or index.php when DirectoryIndex is configured. Directives such as DirectoryIndex define the priority order of index files, and it handles "fancy" indexing redirects to prevent information disclosure. This module is foundational for organizing web roots and ensuring intuitive navigation.^[44] To optimize caching, mod_expires generates Expires and Cache-Control HTTP headers based on file extensions or types, allowing administrators to set expiration times like "access plus 1 month" for static assets. Directives including ExpiresActive, ExpiresByType, and ExpiresDefault provide granular control, reducing unnecessary requests and improving load times for browsers and proxies. It supports both absolute dates and relative intervals for flexible cache management.^[45] mod_file_cache caches a predefined list of static files directly in memory upon server startup, bypassing disk access for frequently requested resources to boost performance on high-traffic sites. Configuration via CacheDirLength, CacheDirLevels, and CacheDisable directives limits cache size and excludes paths, with the cache persisting across restarts if files remain unchanged. This module is suited for environments with ample RAM and stable static content.^[46] mod_filter enables context-sensitive configuration of content filters, allowing chained processing of responses through providers like INFLATE for decompression or custom filters before final output. Core directives such as FilterDeclare, FilterProvider, and FilterChain define filter types, providers, and ordering, supporting both input and output buckets for modular content manipulation. It forms the basis for advanced response transformations in the Apache filter architecture.^[47] mod_headers customizes HTTP request and response headers by adding, appending, setting, or deleting them conditionally based on environment variables or status codes. Directives like Header and RequestHeader support actions such as always set for CORS headers or env=var conditions, enabling compliance with security standards like HSTS or CSP. This module is widely used to tailor responses for SEO, privacy, and cross-origin policies.^[48] mod_include processes Server-Side Includes (SSI) in HTML documents, parsing directives like <!--#include virtual="..." --> to insert dynamic elements such as file contents or timestamps at serving time. It supports XSSI, an extended syntax with variables and conditionals for more complex logic, configured via OutputTimeFormat and AddType for .shtml files. This allows semi-dynamic updates to static pages without full scripting overhead.^[49] mod_mime associates file extensions with MIME types, languages, character sets, and handlers, determining how the server processes and labels content in responses. Directives including AddType, AddEncoding, AddLanguage, and AddCharset map extensions like .html to text/html; charset=utf-8, while RemoveType clears defaults. It integrates with other modules to trigger appropriate filters or handlers based on content type.^[50] For content-based identification, mod_mime_magic examines the initial bytes of a file to determine its MIME type using magic number patterns, overriding extension-based guesses when accuracy is critical, such as for uploaded files. The MimeMagicFile directive points to a configuration file defining patterns, similar to Unix file command databases. This enhances reliability in heterogeneous file environments.^[51] mod_negotiation implements HTTP content negotiation by selecting the optimal resource variant based on client preferences for media type, language, or charset, using type maps or multiviews. It has supported type maps—files listing variants with quality factors—since Apache 1.1, with directives like LanguagePriority and AddType influencing selections. This ensures personalized delivery, such as language-specific pages, without client-side redirects.^[52] mod_substitute performs regex-based search-and-replace operations on response bodies before they are sent to the client, commonly used in reverse proxy setups (e.g., with mod_proxy) to rewrite backend domains to frontend domains in proxied content, as well as for on-the-fly tweaks like inserting tracking codes. The Substitute directive defines patterns and replacements, often combined with AddOutputFilterByType SUBSTITUTE for content types such as text/html, limited to non-binary content via mod_filter, with SubstituteMaxLineLength controlling buffer sizes. It applies transformations efficiently in the output filter chain.^[53]

Database and Storage Modules

The Database and Storage Modules in Apache HTTP Server enable integration with SQL databases and various persistent storage systems, supporting data-driven operations such as authentication, session management, and shared caching backends. These modules leverage the Apache Portable Runtime (APR) for efficient connection handling and scalability across multi-processing models. By abstracting database access and providing pluggable storage options, they allow administrators to configure robust, backend-agnostic persistence without embedding vendor-specific code directly into server configurations. mod_dbd serves as a database abstraction layer, managing SQL database connections through APR to supply on-demand access for other modules needing SQL functions. It handles connection pooling, preparation of statements, and execution, optimizing for both threaded and non-threaded Multi-Processing Modules (MPMs) to ensure scalability in high-load environments. Introduced in Apache HTTP Server version 2.1, this extension module supports drivers for common databases like MySQL, PostgreSQL, and Oracle via APR DBD.^[54] Key directives include DBDriver to specify the SQL driver (e.g., mysql), DBDParams for connection parameters such as host and credentials (e.g., host=localhost,dbname=example,user=user,pass=pass), and DBDPrepareSQL to precompile labeled SQL statements for reuse. Additional controls like DBDMax set the hard maximum number of connections (default: 10), while DBDPersist enables persistent connections (default: On) to reduce overhead. Prior to version 2.2.2, the DBDPersist directive used numeric values (0/1) instead of Off/On. This module is often used in authentication setups, such as with mod_authn_dbd, to store and verify user credentials from a database backend.^[54] The shared object cache providers in this category offer storage backends for persistent data sharing across server processes, distinct from general HTTP response caching. mod_socache_dbm implements a DBM-based backend, creating and accessing cache entries stored in a simple DBM hash file (e.g., via dbm:/path/to/datafile), suitable for lightweight, file-system-backed persistence on single-server setups. Introduced in Apache HTTP Server version 2.4, it requires no specific directives and integrates with the broader mod_socache framework.^[55] mod_socache_dc provides distributed caching via the distcache protocol, enabling shared storage across multiple servers through dedicated distcache libraries for session data and similar objects. Available since version 2.4, it supports cluster environments but depends on external distcache installation and offers no module-specific directives.^[56] mod_socache_memcache integrates with Memcached, a distributed in-memory key-value store, for high-performance shared object caching that scales horizontally across nodes (e.g., memcache:host1:port,host2:port). Debuting in version 2.4, it includes the MemcacheConnTTL directive (since 2.4.17) to manage idle connection keepalive times (default: 15 seconds), aiding in efficient resource use for large-scale deployments.^[57] mod_socache_redis connects to Redis, an advanced in-memory data structure store, for scalable, persistent shared caching with support for replication and high availability. Introduced in Apache HTTP Server version 2.4.39, it features directives like RedisConnPoolTTL for idle connection timeouts (default: 15 seconds) and RedisTimeout for read/write operations (default: 5 seconds), configurable in server or virtual host contexts (e.g., redis:host:port).^[58] mod_socache_shmcb utilizes a shared memory cyclic buffer for fast, in-process storage of cache objects, ideal for single-machine performance without external dependencies. Part of the version 2.4 shared object cache extensions, it requires no directives and prioritizes low-latency access for transient data like session tokens.^[59]

Logging and Monitoring Modules

Logging and monitoring modules in the Apache HTTP Server facilitate the systematic recording of server events, request details, and performance metrics, which are essential for troubleshooting, security analysis, and operational oversight.^[60] These modules allow administrators to configure logs in various formats and access real-time status information, aiding in the identification of issues such as resource bottlenecks or anomalous traffic patterns.^[61] By integrating with other core features, they provide a foundation for both routine maintenance and advanced auditing without requiring external tools.^[62] mod_log_config is a base module that enables customizable logging of client requests, supporting flexible formats defined via the LogFormat and CustomLog directives.^[60] It includes the Common Log Format (CLF), specified as "%h %l %u %t \"%r\" %>s %b", which captures essential details like client IP, request time, and response size.^[60] Logs can be directed to files or external programs, with conditional logging based on request attributes, and format specifiers such as %a for client IP or modifiers for specific status codes like %400,501{User-agent}i.^[60] This module has been integral since early versions and supports multiple log files per server configuration.^[60] mod_log_debug, an experimental module available since Apache 2.3.14, provides configurable debug-level logging for troubleshooting complex issues.^[63] It uses the LogMessage directive to output user-defined messages to the error log at the info level, with optional hooks like log_transaction or all and expressions for conditional activation, such as %{REQUEST_STATUS} == 500.^[63] Examples include logging sub-requests to specific paths, IPv6 connection timeouts, or environment variables, leveraging ap_expr syntax for precision without impacting headers like Vary.^[63] This facilitates detailed request analysis in directory contexts.^[63] mod_log_forensic supports forensic logging by recording requests both before and after processing, generating two lines per request for security audits.^[64] The first line details the request and headers in a fixed format, while the second contains only a unique forensic ID, such as +yQtJf8CoAB4AAFNXBIEAAAAA, which enables correlation for intrusion detection system (IDS) integration.^[64] Configured via the ForensicLog directive, it works with mod_unique_id (optional since version 2.1) and can pipe output, though log files may include sensitive data like Authorization headers, necessitating restricted access.^[64] mod_logio extends logging capabilities by tracking input and output bytes per request, measuring actual network traffic including headers and bodies.^[65] It requires mod_log_config and accounts for SSL/TLS encryption by logging bytes before encryption on input and after on output, with adjustments for KeepAlive and renegotiations.^[65] Key format strings include %I for received bytes, %O for sent bytes, %S for total bytes (since 2.4.7), and %^FB for time-to-first-byte in microseconds (since 2.4.13 with LogIOTrackTTFB ON).^[65] This module is particularly useful for bandwidth monitoring and analysis.^[65] mod_status, available since Apache 1.1, generates an HTML server status page accessible at /server-status, displaying metrics like active and idle workers, total accesses, and bytes served.^[61] Extended status, enabled by default since 2.3.6 via ExtendedStatus On, provides deeper insights including per-worker CPU usage and ongoing requests.^[61] A machine-readable scoreboard visualization is offered at /server-status?auto for automated monitoring tools, aiding in performance troubleshooting through process IDs and real-time statistics like requests per second.^[61] These features support brief logging of proxy requests when combined with access logs.^[61]

Proxy and Load Balancing Modules

The Proxy and Load Balancing Modules in Apache HTTP Server enable the server to act as a reverse proxy or gateway, forwarding client requests to backend servers and distributing traffic across multiple origins for improved scalability and reliability. These modules, primarily built around the core mod_proxy, support a variety of protocols and load balancing strategies, allowing administrators to integrate Apache with diverse application servers without exposing them directly to the internet. Introduced as a stable feature in Apache 2.0, mod_proxy provides the foundational framework for proxying, including worker management for connection pooling and protocol handling, while extensions add specific protocol support and balancing logic.^[66] mod_proxy serves as the central proxy/gateway module, implementing multi-protocol forwarding in both forward and reverse proxy modes. It manages backend connections through configurable workers, supports load balancing integration, and includes directives like ProxyPass for URL mapping to origins and ProxyPassReverse for rewriting response headers to match the frontend URL. Key features encompass connection reuse for efficiency, SSL/TLS termination via mod_ssl, and basic health monitoring, though it requires companion modules for specific protocols. Since its stabilization in version 2.0, it has evolved to include Unix domain socket support from 2.4.7 and WebSocket upgrades from 2.4.47.^[66] For protocol-specific proxying, several extensions complement mod_proxy. mod_proxy_ajp enables efficient integration with application servers like Apache Tomcat using the AJP13 binary protocol, which reduces overhead through persistent connections and forwards environment variables as request attributes; it includes directives like BalancerMember for load-balanced setups and a secret option for authentication added in 2.4.42. mod_proxy_http handles HTTP/0.9 to HTTP/1.1 proxying for standard web traffic, supporting HTTPS via mod_ssl—to proxy requests to HTTPS backends, enable the SSLProxyEngine On directive from mod_ssl, which allows Apache to establish secure connections to backend servers—but without built-in caching; environment variables such as proxy-nokeepalive allow fine-tuning of connection behavior. mod_proxy_http2, introduced in 2.4.19, extends this to HTTP/2 backends, multiplexing requests over a single TCP connection for improved performance on compatible origins, though it requires HTTP/2 support on the backend without fallback to HTTP/1.1.^{[67][68][69][70]} Other protocol modules address specialized needs: mod_proxy_fcgi proxies FastCGI requests to dynamic backends like PHP-FPM, optimizing for high-throughput scripting environments; mod_proxy_scgi and mod_proxy_uwsgi support the SCGI and uWSGI protocols, respectively, for lightweight communication with application servers in Python or other frameworks. mod_proxy_wstunnel, added in 2.4.5 but deprecated since 2.4.47 in favor of mod_proxy_http's RFC 7230 compliance, tunnels WebSocket connections (ws:// or wss://) using the upgrade parameter in ProxyPass. mod_proxy_connect manages the HTTP CONNECT method for tunneling, commonly used for SSL proxying; mod_proxy_ftp enables FTP gatewaying; and mod_proxy_express offers a lightweight, dynamic reverse proxy that maps Host headers to backends without explicit configuration. mod_proxy_html acts as an output filter to rewrite HTML links and forms in proxied responses, ensuring accessibility from external networks. For Unix systems, mod_proxy_fdpass facilitates file descriptor passing to external processes, enhancing inter-process communication. Finally, mod_proxy_hcheck performs dynamic health checks on balancer members, probing endpoints like HTTP status codes to detect and remove unhealthy backends automatically.^{[71][72][73][74][75][76][77][78][79][80]} Load balancing capabilities are provided by mod_proxy_balancer, available since 2.1, which distributes requests across multiple backend servers using configurable algorithms and supports session stickiness via cookies or URL encoding to maintain user affinity. It integrates with the Balancer Manager interface (via mod_status) for runtime adjustments and uses directives like ProxySet for properties such as timeouts and load factors. Complementing this are the load method modules: mod_lbmethod_byrequests implements a simple round-robin scheduler based on request counts; mod_lbmethod_bytraffic weights distribution by byte volume for bandwidth-aware balancing; mod_lbmethod_bybusyness selects the least-loaded server using pending request queues; and mod_lbmethod_heartbeat incorporates heartbeat signals from backends (via mod_heartbeat) to inform scheduling decisions. These methods can be selected per balancer with the lbmethod parameter, enabling tailored traffic distribution without custom coding. Proxied responses may be cached using mod_cache for performance gains, though this is configured separately.^{[81][82][83][84][85]}

Security Modules

Security modules in the Apache HTTP Server provide essential protections for server operations, connections, and resource usage, focusing on encryption, privilege management, and defense against common attack vectors. These modules enable administrators to implement robust safeguards such as TLS encryption for data in transit, controlled execution environments for dynamic content, and mechanisms to mitigate denial-of-service (DoS) threats by enforcing timeouts and accurate client identification. By integrating with underlying system capabilities like OpenSSL and POSIX features, they ensure the server operates with minimal privileges while maintaining performance and reliability.^[86] The mod_ssl module implements strong cryptography via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, relying on OpenSSL for encryption support. Introduced with Apache 2.0, it allows configuration of SSL/TLS for secure HTTP connections, protecting sensitive data from interception and tampering during transmission. Key directives include SSLEngine to enable or disable encryption per virtual host, SSLProtocol to specify supported protocol versions (e.g., excluding deprecated SSLv2), and SSLCipherSuite to define acceptable cipher algorithms for enhanced security. This module is fundamental for deploying HTTPS, ensuring compliance with modern web security standards by supporting TLS 1.3 and forward secrecy options.^[70][70] mod_suexec enhances security for CGI script execution by allowing scripts to run under specified user and group identities, rather than the server's default privileges. This isolates potentially untrusted code, preventing a compromised script from accessing the entire server's resources or other users' files. Compiled separately and installed in a secure location, it enforces strict path checks and logging for executions. The primary directive, SuexecUserGroup, sets the user and group for CGI processes, making it indispensable for shared hosting environments where multiple users generate dynamic content.^[87] mod_unixd delivers core security features for Unix-like platforms, including user and group settings for the daemon process to enforce privilege separation from startup. It runs the server as a non-root user after binding to privileged ports, reducing the attack surface if the server is compromised. Directives like User and Group configure the effective identity, ensuring the process operates with least privileges. This module is loaded by default in standard Apache distributions, providing foundational Unix daemon security without additional configuration in most cases.^[88] For advanced privilege management, mod_privileges supports POSIX capabilities and Solaris privileges, enabling fine-grained control over process permissions for virtual hosts. It allows running distinct virtual hosts under different user IDs without full user switching, limiting capabilities like file access or network binding to only what's necessary. The PrivilegesMode directive activates capability mode, dropping unnecessary privileges at runtime. This module is particularly useful in multi-tenant setups, enhancing isolation beyond basic user/group changes.^[89] To counter slow HTTP attacks like Slowloris, mod_reqtimeout, added in Apache 2.2.15 (released in 2010), sets timeouts and minimum data rates for incoming requests. It terminates connections that linger without sufficient data transfer, preventing resource exhaustion from partial requests. Directives such as RequestReadTimeout (e.g., "header=10-20,minrate=500") and RequestWriteTimeout allow customization for headers, body, and response phases, with the minimum rate ensuring steady progress. This proactive measure significantly mitigates DoS risks by enforcing efficient client behavior.^[90][90][91] Finally, mod_remoteip addresses security in proxied environments by replacing the apparent client IP with the actual originating address from trusted proxy headers, ensuring accurate logging and potential integration with other security controls. Directives like RemoteIPHeader specify the header (e.g., X-Forwarded-For) and RemoteIPTrustedProxy define trusted intermediaries to prevent spoofing. This prevents attackers from masking their origin behind proxies, aiding in forensic analysis and rate limiting based on true client identities.^[92]

Session Management Modules

Session management modules in the Apache HTTP Server enable the maintenance of user-specific state across multiple HTTP requests, facilitating features like persistent logins without relying on server-side state for every connection. These modules, introduced in Apache 2.4 in 2012, provide a framework for stateless session support, allowing sessions to be stored client-side or in external databases to scale efficiently in distributed environments.^[93][94] The core module, mod_session, establishes a server-wide interface for per-user sessions, tracking data such as login status or custom attributes. It supports enabling sessions via the Session directive (default: Off) and controls session lifespan with SessionMaxAge (default: 0, no expiration). Additional directives like SessionInclude and SessionExclude allow fine-grained control over which URLs participate in session handling, while SessionEnv exposes session data to the environment for scripting. Available since Apache 2.3 but stabilized in 2.4, mod_session depends on storage and security submodules for full functionality.^[94] For client-side storage, mod_session_cookie serializes sessions into HTTP cookies sent to the browser, minimizing server resource demands. Key directives include SessionCookieName for setting cookie attributes (e.g., path, domain, HttpOnly, Secure) compliant with RFC 2109, and SessionCookieName2 for RFC 2965 variants. This approach enhances scalability but requires precautions against cross-site scripting; sessions are vulnerable without encryption.^[95] mod_session_dbd extends storage options by persisting sessions in a SQL database via mod_dbd, supporting anonymous UUID-keyed or per-user sessions for better privacy as data remains server-side. Directives such as SessionDBDPerUser (default: Off) toggle user-specific storage, and labels like SessionDBDInsertLabel define SQL queries for operations. It requires mod_dbd and periodic cleanup of expired sessions via external processes like cron jobs.^[96] To secure sessions, mod_session_crypto handles encryption and signing before storage or transmission, using symmetric ciphers like AES-256 (configurable via SessionCryptoCipher). The SessionCryptoPassphrase directive sets keys, supporting rotation with multiple values, and SessionCryptoDriver selects backends like OpenSSL or NSS. Experimental since Apache 2.3, it mitigates privacy risks in cookie-based setups.^[97] These modules integrate with authentication mechanisms, such as mod_auth_form, to enable persistent user sessions post-login.^[98]

Miscellaneous Modules

The miscellaneous modules in the Apache HTTP Server core distribution encompass a diverse set of utilities for specialized tasks, including protocol extensions, debugging tools, scripting integrations, and configuration enhancements that do not align with primary categories like authentication or caching. These modules enable administrators to customize server behavior for unique requirements, such as WebDAV support, URL manipulation, and performance monitoring, while maintaining compatibility across various operating systems. Many have evolved over Apache versions to incorporate modern standards and optimizations.^[86] mod_allowmethods restricts which HTTP methods (such as GET, POST, or PUT) can be used on the server or specific resources, providing a simple way to limit request types without affecting authentication or authorization processes. This module uses directives like AllowMethods to enforce restrictions at the directory or location level.^[99] mod_buffer implements buffering for incoming requests, allowing the server to handle large or slow uploads more efficiently by storing data in memory before processing. It supports configurable buffer sizes via the BufferSize directive, which helps in scenarios with resource-constrained environments.^[100] mod_cern_meta emulates the metafile semantics from the CERN HTTPD server, enabling the addition of custom HTTP headers based on filename extensions defined in a .meta file alongside content files. This module is primarily used for legacy compatibility and custom header injection in static content serving.^[101] mod_dav provides support for the WebDAV (Web-based Distributed Authoring and Versioning) protocol, allowing clients to perform remote web content authoring operations like creating, editing, and deleting files over HTTP. It integrates with other DAV-related modules to form a complete WebDAV implementation. mod_dav_fs serves as the filesystem-based backend provider for mod_dav, handling the storage and retrieval of WebDAV resources directly from the server's local filesystem. This module translates WebDAV operations into standard file system calls, ensuring seamless integration with existing directory structures. mod_dav_lock implements locking mechanisms required by the WebDAV protocol (RFC 4918), enabling concurrent access control to prevent conflicts during collaborative editing. It supports both exclusive and shared locks, configurable via directives like DAVLockDB, and stores lock information in a specified database file. mod_dumpio logs all input and output exchanged between the server and clients to the error log for debugging purposes, capturing raw data streams without altering normal operation. Activation occurs via LogLevel dumpio:trace7, making it useful for troubleshooting protocol issues or malformed requests. mod_echo functions as a basic echo server module for testing and demonstrating Apache's protocol handling capabilities, reflecting back incoming requests in the response body. It includes directives like Echo to control output and is often used in development environments to simulate client-server interactions. mod_env passes environment variables from the Apache configuration to CGI scripts, Server-Side Includes (SSI), and other subprocesses, with directives like SetEnv and PassEnv for setting or propagating variables. This module facilitates dynamic content generation by making shell-like environment data available within the web context. mod_example_hooks demonstrates the Apache module API by providing example hook registrations and implementations, serving as a template for developers creating custom modules. It registers hooks for various request phases but performs no functional operations in production. mod_ext_filter filters response content by piping it through an external program before delivery to the client, allowing custom transformations like encoding conversions or data modifications. Directives such as ExtFilterDefine and ExtFilter enable configuration of the filter chain for specific content types. mod_heartbeat enables origin servers to send periodic heartbeat messages containing load and health status to frontend proxies or load balancers, aiding in dynamic traffic distribution. It uses the hb protocol for communication and is configured with directives like HeartbeatListen. mod_heartmonitor acts as a receiver for heartbeat messages from multiple origin servers, aggregating status data to inform proxy decisions on backend selection. This module complements mod_heartbeat by providing centralized monitoring without direct server involvement. mod_http2, introduced in Apache 2.4.17, handles the HTTP/2 protocol (RFC 7540) for improved performance through multiplexing, header compression, and server push features, relying on the libnghttp2 library for core functionality. It requires explicit enabling via the Protocols directive and supports both h2 (over TLS) and h2c (cleartext) modes.^[102][38] mod_ident performs RFC 1413 ident protocol lookups on client IP addresses to retrieve user identification information from remote systems, useful for logging or access control in trusted networks. The Ident directive controls lookup timeouts and integration with log formats. mod_imagemap processes server-side imagemaps, mapping coordinates from client clicks on images to specific URLs via a map file, supporting both NCSA and CERN formats for legacy clickable image applications. It uses the <Imap> directive for configuration within server blocks. mod_info generates a detailed HTML page displaying the server's configuration, loaded modules, and active directives, aiding in diagnostics and verification. Access is restricted via Allow directives to prevent exposure of sensitive information. mod_isapi provides support for Internet Server API (ISAPI) extensions on Windows platforms, allowing Apache to host ISAPI filters and handlers originally designed for IIS. This module enables compatibility with legacy Windows web applications through dynamic loading. mod_ldap manages LDAP connections and caches query results for reuse by other authentication or authorization modules, improving performance in directory-based environments. Directives like LDAPCacheEntries control caching behavior to balance speed and resource usage. mod_lua, introduced in Apache 2.4, embeds the Lua scripting language to allow custom hooks during request processing, enabling dynamic configuration, authentication, and content generation without compiling new modules. It uses directives like LuaRoot for script management and supports both quick and full startup modes for performance tuning.^[103][38] mod_macro extends Apache configuration files with macro definitions and expansions, similar to C preprocessor macros, to reduce repetition and improve maintainability using Macro and Use directives. This module processes macros during configuration parsing for conditional logic and variable substitution. mod_md automates management of domains across virtual hosts, including ACME protocol integration for automatic certificate provisioning from services like Let's Encrypt. It handles certificate renewal and distribution via directives like MDomain. mod_nw_ssl enables SSL/TLS encryption specifically for the NetWare operating system, providing secure connections in legacy NetWare environments. This module is platform-specific and integrates with NetWare's native SSL libraries. mod_ratelimit throttles outbound bandwidth for clients by limiting the data rate of responses, useful for preventing abuse or managing server load with directives like RatlimitSize. It applies filters at the byte level for precise control. mod_reflector reflects the incoming request body back as the response through the output filter stack, primarily for testing proxy or filter chain behaviors. This module aids in debugging content transformations without external clients. mod_request provides filters for handling and exposing HTTP request bodies, including chainable notes for inter-module communication during processing. It supports advanced request manipulation in custom configurations. mod_rewrite, available since Apache 1.1, offers a powerful rule-based engine for rewriting URLs on the fly using regular expressions and conditions via RewriteRule and RewriteCond directives. It supports complex mappings, redirects, and proxy integrations, with enhancements in later versions like boolean expressions in 2.4.^[104] mod_sed applies sed-like transformations to both request and response content using regular expression patterns, configured with OutputSed for output filtering. This module enables lightweight text processing without external tools. mod_setenvif sets environment variables based on incoming request headers, browser information, or other attributes using pattern matching with directives like SetEnvIf. It facilitates conditional configurations for dynamic environments. mod_slotmem_plain implements a plain file-based provider for slot-based shared memory, used by other modules for storing small data structures across processes. It offers a simple, non-shared alternative to shared memory for compatibility. mod_slotmem_shm provides slot-based shared memory using system shared memory segments, enabling efficient inter-process data sharing for modules like load balancers. Directives control segment size and access for scalability. mod_so enables dynamic loading of shared object modules at runtime using the LoadModule directive, allowing modular extensions without recompiling the server. This is the foundation for most optional module integrations in Apache. mod_speling corrects minor URL misspellings or case inconsistencies by attempting to match requested paths to existing files, with the CheckSpelling directive toggling the feature. It improves user experience for non-exact links while logging corrections. mod_systemd enhances integration with the systemd init system on Linux, providing journal logging and service notifications for better process management. It uses D-Bus for communication to report server status accurately. mod_unique_id generates a unique identifier for each request, stored as an environment variable for logging or correlation purposes across modules. The format can be customized via Unique-ID for traceability in distributed systems. mod_userdir enables serving files from user home directories via URLs like /~user/, with the UserDir directive specifying the public_html subdirectory. It supports access controls and is common for personal web hosting. mod_usertrack tracks user sessions using cookies with configurable names and domains, appending client IP and sequence numbers for basic clickstream logging. The CookieTracking directive activates it for analytics without persistent storage. mod_version allows version-dependent configuration sections using IfVersion directives, enabling conditional loading based on Apache's major, minor, or patch levels. This facilitates compatibility across upgrades. mod_vhost_alias supports dynamic mass virtual hosting by mapping IP-based or name-based hosts to directories using interpolation patterns in VirtualDocumentRoot. It scales hosting for thousands of domains without explicit VirtualHost blocks. mod_watchdog supplies infrastructure for asynchronous task execution, allowing other modules to schedule periodic callbacks for maintenance or monitoring. It integrates with APR for timer-based operations in multi-process environments. mod_xml2enc adds charset detection and conversion filters for XML content using libxml2, ensuring proper encoding handling in internationalized applications. It applies transformations transparently during output filtering.

Third-Party Modules

Authentication and Security Extensions

Third-party modules extend Apache's authentication and security capabilities beyond the core distribution, offering advanced features like multi-factor authentication and intrusion prevention. These extensions are particularly useful for environments requiring robust protection against unauthorized access and attacks, such as web applications handling sensitive data. Notable examples include modules focused on one-time passwords, ticket-based single sign-on, denial-of-service mitigation, web application firewalls, and quality-of-service controls.^[105][106] mod_authn_otp provides one-time password (OTP) authentication for Apache using the HOTP algorithm defined in RFC 4226, enabling two-factor authentication by verifying time-based or counter-based OTPs alongside standard credentials. Developed as an authentication provider, it integrates with Apache's authn framework to retrieve and validate OTPs from user input, supporting hardware tokens or software generators like Google Authenticator. This module is compatible with Apache 2.4 and is available as open-source software.^[107] mod_auth_tkt implements lightweight, cookie-based single-sign-on authentication using secure tickets, allowing users to authenticate once and access multiple domains or subdomains without re-entering credentials. Written in C, it generates and validates encrypted tickets containing user identity and expiration data, functioning as an alternative to more complex systems like Apache::AuthTkt. The module supports Apache versions up to 2.4 with appropriate compilation and is distributed under an open-source license.^[108] mod_evasive, developed by Jonathan Zdziarski in 2002, offers denial-of-service (DoS) protection by monitoring and limiting request rates from individual IP addresses to detect and block brute-force or flooding attacks. It temporarily blacklists suspicious IPs after thresholds are exceeded, such as same-page requests within a short interval, and can integrate with external tools like firewalls for broader response actions. Compatible with Apache 2.4, this open-source module enhances server resilience without requiring extensive configuration changes.^[109] mod_security serves as an open-source web application firewall (WAF) for Apache, using rule sets to inspect and filter HTTP traffic in real-time, blocking common attacks like SQL injection, cross-site scripting (XSS), and remote file inclusion. Originally developed as an Apache module, its 2.x series was maintained by Trustwave as open-source software before transitioning to OWASP stewardship; it employs an event-based language for custom rules and anomaly scoring. The module is fully compatible with Apache 2.4 and remains actively developed for modern threat detection as of 2025.^{[105][110][111]} mod_qos enforces quality-of-service policies by queuing and prioritizing HTTP requests, preventing resource exhaustion from high-traffic or malicious patterns like slowloris attacks. It limits connections per IP, controls keep-alive durations, and assigns request priorities based on criteria such as URL patterns or user agents, thereby maintaining server availability under load. As an open-source module, it supports Apache 2.4 and provides configurable defenses against DoS without impacting legitimate traffic.^[106]

Performance and Caching Add-ons

Third-party modules for performance and caching in Apache extend the server's capabilities by introducing specialized optimizations beyond core functionality, such as persistent process management for dynamic content, automated page rewriting for faster delivery, and accurate client identification in proxied environments. These add-ons are particularly valuable for high-traffic sites, where they reduce latency, minimize resource overhead, and improve throughput without requiring extensive reconfiguration. mod_fastcgi serves as a persistent FastCGI process manager, enabling efficient handling of dynamic scripting languages by maintaining application instances across multiple requests, thereby avoiding the startup costs associated with traditional CGI. Developed as a third-party extension, it supports both static and dynamic FastCGI applications over TCP or Unix sockets, with directives like FastCgiServer for local management and FastCgiExternalServer for connecting to external backends. This module is especially useful for integrating with PHP-FPM, where Apache can forward requests to the FPM socket for processed execution, enhancing scalability for PHP-based applications under load. However, for Apache 2.4, it requires patching or alternative builds, with official recommendations favoring mod_fcgid or mod_proxy_fcgi for native support.^[112][113] mod_pagespeed, developed by Google and released in 2010, functions as an optimization engine that automatically rewrites web pages on-the-fly to apply best practices for speed, including resource inlining, compression, and deferral of non-critical assets. It incorporates caching mechanisms to store optimized versions of pages and resources, reducing repeated processing and bandwidth usage, which can lead to significant improvements in page load times—often by 20-50% in benchmarks for static-heavy sites. Originally an active project under Google's maintenance, the module entered an archived state in the Apache incubator by April 2024, preserving its codebase for community use while encouraging alternatives for ongoing development. It remains usable with Apache 2.4 as of 2025.^[114][115] mod_rpaf addresses performance in reverse proxy configurations by forwarding the original client IP address, HTTPS status, and port information from upstream proxies to Apache, ensuring accurate logging, access control, and virtual host routing without additional overhead from misidentified requests. Key directives such as RPAF_ProxyIPs allow whitelisting trusted proxies, while RPAF_Header specifies the forwarded header (e.g., X-Forwarded-For), preventing spoofing and enabling efficient load balancing in multi-tier setups. This module is compiled from source for Apache 2.4, requiring development headers like httpd-devel, and is licensed under the Apache License 2.0.^[116]

Content and Proxy Enhancements

Third-party modules in this category enhance Apache's content processing and proxy functionalities by integrating specialized protocols and application servers, particularly those not natively supported by core modules like mod_proxy. These extensions enable efficient handling of dynamic content, secure communications, and geospatial data serving, often bridging Apache with external ecosystems such as Java, Ruby, or mapping services. By focusing on non-official protocols, they provide alternatives for scenarios requiring custom integration or avoidance of proprietary dependencies. mod_gnutls serves as a GnuTLS-based alternative to the OpenSSL-dependent mod_ssl, providing SSL/TLS encryption for Apache HTTP Server with support for protocols including TLS 1.0, 1.1, and later versions up to 1.3 as of version 0.12.2 (April 2024). It enables secure HTTPS connections using X.509 or OpenPGP certificates, differing from mod_ssl by leveraging the GnuTLS library for potentially better interoperability in environments avoiding OpenSSL due to licensing or vulnerability concerns. Key features include Server Name Indication (SNI) for hosting multiple SSL-enabled virtual hosts on a single IP address, as defined in RFC 3546, and configurable session caching options such as dbm, gdbm, memcached, or none to optimize performance. Directives like GnuTLSEnable toggle TLS support, GnuTLSCertificateFile specifies the server certificate in PEM format, and GnuTLSPriorities allows fine-tuned cipher and protocol selection (e.g., "NORMAL" for secure defaults). This module exports environment variables like SSL_PROTOCOL and SSL_CIPHER for scripting integration, making it suitable for content-heavy sites needing robust TLS without OpenSSL. Compatible with Apache 2.4.^{[117][118][119]} mod_jk, developed by the Apache Tomcat project since 2001, acts as a connector module that forwards requests from Apache to Tomcat or other servlet containers using the AJP (Apache JServ Protocol) 1.3, enhancing proxy capabilities for Java-based applications. It supports persistent connections and load balancing across multiple backend workers, defined in configuration files like workers.properties, where each worker represents a Tomcat instance with parameters for host, port, and balancing. Unlike standard HTTP proxying, AJP optimizes binary transmission of headers and reduces overhead for dynamic content like JSPs or servlets, with features including sticky sessions for stateful applications and a status worker for monitoring via /jkstatus. Configuration involves loading the module and mapping URIs via JkMount directives, such as JkMount /* worker1, enabling seamless integration for enterprise Java deployments. This module has evolved through versions up to 1.2.50 (August 2024).^[120][121] mod_passenger, released by Phusion in 2008, integrates Ruby on Rails, Python (via WSGI), and Node.js applications directly into Apache, streamlining deployment of dynamic web apps without separate application servers. It automates process management, including intelligent pooling and recycling of application instances to handle varying loads efficiently, and supports zero-downtime restarts for production reliability. Configuration requires loading the module with LoadModule passenger_module and setting PassengerRoot to the installation path, alongside application-specific directives like PassengerAppRoot and PassengerBaseURI within VirtualHost blocks to map Rails or Python apps to document roots. This module enhances content processing by interpreting application code on-the-fly, with options for concurrency control (e.g., PassengerMaxPoolSize) to balance resource usage, making it a preferred choice for Rails ecosystems as recommended by its creators for ease over traditional CGI or FastCGI setups. Compatible with Apache 2.4 as of 2025.^[122][123] mod_tile extends Apache for serving raster map tiles in OpenStreetMap projects, combining efficient caching with on-demand rendering via Mapnik to deliver geospatial content at scale. Developed as part of the OpenStreetMap ecosystem since 2007, it uses an Apache module to handle tile requests in formats like PNG, JPG, or WebP, storing metatiles (8x8 grids) for reduced disk I/O and implementing expiry mechanisms to refresh outdated tiles through a renderd daemon. The module integrates with PostgreSQL/PostGIS databases via osm2pgsql for data import, and renderd queues rendering jobs across multiple threads, achieving rates exceeding 10,000 tiles per second on optimized hardware. Configuration involves Apache directives like LoadModule tile_module and TileDir for cache paths, paired with renderd.conf for Mapnik stylesheets and priority queues, enabling dynamic proxy-like serving of vector-to-raster content without native Apache support for such protocols. This setup powers high-traffic mapping services by prioritizing low-latency delivery over exhaustive pre-rendering. Compatible with Apache 2.4 and actively maintained as of 2025.^[124][125]

Historical and Deprecated Modules

Modules from Apache 2.2 and Earlier

Apache HTTP Server version 2.2, released on December 1, 2005, introduced significant architectural improvements over prior versions, including a modular authentication and authorization system that split legacy modules for greater flexibility.^[126] This version supported a wide array of modules for core functionality, proxying, caching, and content handling, many of which originated from earlier releases like 2.0 and 1.3. However, as web technologies evolved, several 2.2 modules became legacy by the time of its end-of-life announcement in December 2017, with the final release (2.2.34) occurring on July 11, 2017.^[127] One prominent example of legacy restructuring in 2.2 was the handling of access control, where the older mod_access module—responsible for IP-based and host-based restrictions—was renamed and merged into mod_authz_host to align with the new provider-based authorization framework.^[128] Similarly, the monolithic mod_auth module, which managed basic authentication, was split into separate providers such as mod_auth_basic for HTTP Basic authentication encoding, mod_authn_file for file-based credential storage, mod_authz_user for user-level authorization, and mod_authz_groupfile for group-based checks.^[128] These changes allowed for more granular configuration but required updates from pre-2.2 configurations that relied on the unified mod_auth directives like AuthUserFile and AuthGroupFile.^[129] Caching in Apache 2.2 relied on mod_cache as the core module, supported by storage backends like mod_disk_cache for disk-based storage and mod_mem_cache for in-memory caching, but lacked the shared object cache (socache) provider introduced in later versions for distributed environments. This basic implementation enabled HTTP-compliant caching of local and proxied content but was limited to simpler scenarios without advanced shared memory mechanisms, often leading to configurations using external tools for cache cleanup via directives like CacheRoot and CacheDirLevels. For WebDAV support, mod_dav in 2.2 provided the foundational protocol handling, paired with mod_dav_fs as the filesystem provider and mod_dav_lock for generic locking, but early implementations in this version did not fully separate filesystem operations from lock management in a modular way, resulting in tighter coupling that could complicate custom backends. Administrators had to specify a shared lock database via DavLockDB, which risked concurrency issues in multi-process setups without additional tuning. The proxy capabilities in 2.2, handled by mod_proxy and its submodules like mod_proxy_http and mod_proxy_balancer, supported forward and reverse proxying for protocols including HTTP/1.1 and AJP but lacked support for HTTP/2, limiting it to single-connection-per-request models without multiplexing or header compression features. Load balancing was basic, relying on directives like BalancerMember without the advanced health checks or stickiness options available later. Many modules from 2.2 carried over to version 2.4 but were deprecated, with compatibility shims like mod_access_compat provided to emulate old directives such as Order, Allow, and Deny for smoother migrations.^[28] For instance, configurations using pre-2.2 access controls could load mod_access_compat to maintain backward compatibility, though the recommendation was to transition to the new Require directives in mod_authz_core and mod_authz_host. This ecosystem of 2.2 modules, totaling around 80 standard ones including core MPMs like prefork and worker, formed the backbone for deployments until its official end-of-life in 2018, after which security patches ceased.^[130]

Removed or Obsolete Modules in 2.4

In Apache HTTP Server 2.4, released on February 21, 2012, several modules from prior versions were removed or rendered obsolete as part of efforts to enhance modularity, particularly in authentication and caching systems.^[38] This restructuring separated authentication (who is the user) from authorization (what can the user do), building on changes initiated in version 2.2, and eliminated redundant or inefficient components.^[11] Obsolete modules are explicitly noted in the official migration documentation, with recommended alternatives to facilitate upgrades without loss of functionality.^[11] The module mod_auth_dbm, which handled both authentication and authorization using DBM files in earlier versions, was split starting in Apache 2.2 into mod_authn_dbm for user lookup and validation against DBM password files, and mod_authz_dbm for group-based access control. By 2.4, the original mod_auth_dbm is obsolete, as its combined functionality no longer aligns with the separated provider model; configurations must be migrated to the new modules, often in conjunction with mod_auth_basic or mod_auth_digest.^[131] Similarly, mod_auth_db, an older module for database-backed authentication from Apache 1.3 era, has been superseded by mod_authn_dbd, which integrates with mod_dbd to support SQL databases like MySQL or PostgreSQL for user credentials.^[19] This shift provides better scalability and security for database-driven environments, with mod_authn_dbd handling lookups via directives like AuthBasicProvider dbd.^[19] Other removed modules include mod_authn_default and mod_authz_default, which served as fallback providers in 2.2 but were eliminated in 2.4, with their roles absorbed into the core modules mod_authn_core and mod_authz_core.^[11] mod_mem_cache, a memory-based caching module, was also removed, replaced by the more robust mod_cache_disk for disk caching to avoid performance issues in large-scale deployments.^[11] For proxying, mod_proxy_balancer remains available but underwent significant refactoring in 2.4, with its legacy load-balancing methods (such as byrequests and bytraffic) extracted into dedicated submodules like mod_lbmethod_byrequests and mod_lbmethod_bytraffic.^[11] This allows selective loading for efficiency, though older configurations relying on integrated methods require updates to explicitly include the appropriate lbmethod modules.^[81] The mod_status module evolved in 2.4 with enhanced features, offering detailed metrics such as per-worker CPU usage, request rates, and busy/idle states when the ExtendedStatus On directive is configured.^[61] This enhancement supports better server monitoring, accessible via /server-status, and integrates with tools like the Balancer Manager for proxy health checks.^[61] Migration paths emphasize using mod_authz_core for legacy authorization directives, which were deprecated in favor of the flexible Require syntax (e.g., Require dbm-group for mod_authz_dbm equivalents).^[13] These changes, while requiring configuration adjustments, improve overall security and maintainability in 2.4 and later versions.^[11]