Could someone share some light and check if this is okay for apache httpd security/good standards? I'm using apache httpd to call my Node.js app that is running with Express and also configuring SSL.
apache2.conf:
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional sites-enabled/*.conf
Protocols h2 http/1.1
KeepAlive Off
<IfModule mpm_prefork_module>
StartServers 4
MinSpareServers 20
MaxSpareServers 40
MaxClients 200
MaxRequestsPerChild 4500
</IfModule>
ServerTokens Prod
ServerSignature Off
FileETag None
TraceEnable off
site-name.conf:
<VirtualHost *:80>
ServerName www.site-name.com
ProxyRequests Off
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect permanent / https://site-name.com
</VirtualHost>
site-name-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName site-name.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
ProxyRequests Off
SSLCertificateFile /etc/letsencrypt/live/site-name.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site-name.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPass /api http://site-name.com:3000/api
ProxyPassReverse /api http://site-name.com:3000/api
ProxyPass / http://site-name.com:4226/
ProxyPassReverse / http://site-name.com:4226/
</VirtualHost>
</IfModule>
