Apache HTTP Server is one of the oldest and most widespread web servers in the world, powering millions of sites. SSL installation on Apache uses the mod_ssl module and requires slightly more verbose syntax than Nginx. The main advantage of Apache is the ability to configure settings per directory via .htaccess, which is especially valuable in shared hosting. The Sayt.uz technical team works with Apache daily and recommends battle-tested configurations.
Enabling the mod_ssl module
On Debian and Ubuntu servers the mod_ssl module is enabled with a2enmod ssl, then Apache must be restarted with systemctl restart apache2. You can verify the module is loaded with apache2ctl -M filtered by grep ssl. On CentOS and RHEL the module is installed separately via yum install mod_ssl or dnf install mod_ssl and is activated automatically. After activation, port 443 opens and Apache starts accepting encrypted connections.
Configuring the virtual host
The virtual host configuration file is typically located at /etc/apache2/sites-available/example.com-ssl.conf and starts with a VirtualHost tag for port 443. Inside the block specify SSLEngine on, then the certificate file paths: SSLCertificateFile for fullchain.pem and SSLCertificateKeyFile for privkey.pem. In older Apache versions before 2.4.7 you had to specify a CA Bundle separately via SSLCertificateChainFile, but modern versions handle this through fullchain.pem alone.
Redirecting HTTP to HTTPS
In the port 80 virtual host block add Redirect permanent / https://example.com/ and all HTTP traffic will be redirected to the secure version. This makes the site safe for all users and helps Google index only the HTTPS version. An alternative is mod_rewrite with RewriteEngine On and RewriteCond %{HTTPS} off, which gives more flexibility for individual URLs.
Modern encryption settings
To disable obsolete TLS 1.0 and 1.1, add SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 to ssl.conf, leaving only TLS 1.2 and 1.3. Configure SSLCipherSuite based on the Mozilla Modern profile for maximum security. SSLHonorCipherOrder on enforces server-side cipher order and protects against BEAST attacks. To enable OCSP Stapling add SSLUseStapling on and SSLStaplingCache shmcb:/var/run/ocsp(128000).
Sayt.uz practice
Twenty-eight percent of Sayt.uz infrastructure runs on Apache, and we use this configuration by default for cPanel hosting. Every server ships with TLS 1.3, OCSP Stapling and HSTS preconfigured, requiring no client action. SSL migration is a free service and our technical team brings existing Apache configurations to optimal state in about two hours. On shared hosting SSL is installed automatically and maintained for 25,000 soum per month.