We Keep Coding

Is there any way to further improve this security configuration of Apache 2 sever on Ubuntu?

I am setting up an Apache 2 server on Ubuntu.
Ubuntu Version: 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)
Server version: Apache/2.4.41 (Ubuntu)
The web application "currently" does not accept upload nor runs any cgi script, nor does request or provide any authentication from any users, nor does have an sql database.
I would like to know if there is any additional directive to add to any of the following configuration files to improve further the security.
The files in their respective directories are:
# apache2.conf
# security.conf
# 000-default.conf
# example.com-ssl.conf
apache2.conf
# shm and runtimes directory
DefaultRuntimeDir ${APACHE_RUN_DIR}
# PidFile
PidFile ${APACHE_PID_FILE}
# Timeout
Timeout 300
# KeepAlive
KeepAlive On
# MaxKeepAliveRequests
MaxKeepAliveRequests 100
# KeepAliveTimeout
KeepAliveTimeout 5
# Added by me for better caching performance
<FilesMatch "\.(html|css|gif|jpg|jpeg|js|png|svg|webp)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
# Added by me to hide last modified and just use the e-tag
Header unset Last-Modified
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
# HostnameLookups
HostnameLookups Off
# ErrorLog
ErrorLog ${APACHE_LOG_DIR}/error.log
# LogLevel
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default direct sec
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#AccessFileName .htaccess
# The following lines prevent .htaccess and .htpasswd access
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
# The format directories
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
security.conf
# ServerTokens
ServerTokens Prod
# Server Signature
ServerSignature Off
# Allow TRACE
TraceEnable Off
# Header X content
Header set X-Content-Type-Options: "nosniff"
# Header X frame
Header set X-Frame-Options: "sameorigin"
000-default.conf
<VirtualHost *:80>
# Server Name
ServerName example.com
# Server Alias
ServerAlias www.example.com
# Server Admin
ServerAdmin admin#example.com
# Document root directory
DocumentRoot /var/www/html
# Redirect all http traffic
Redirect permanent / https://example.com
# logs
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# No CGI allowed for the time being.
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
example.com-ssl.conf
<VirtualHost *:443>
# Https 2
Protocols h2 http/1.1
# Sever Name
ServerName example.com
# Server Alias
ServerAlias www.example.com
# Server Admin
ServerAdmin admin#example.com
# Document root directory
DocumentRoot /var/www/html
# SSL
SSLEngine on
SSLCertificateFile /etc/ssl/example.com.crt
SSLCertificateKeyFile /etc/ssl/example.com.key
SSLCertificateChainFile /etc/ssl/example.com.ca-bundle
# Logs
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# No CGI allowed for the time being
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
Here after is also the list of apache 2 module which are currently enabled:
access_compat.load
alias.conf
alias.load
auth_basic.load
authn_core.load
authn_file.load
authz_core.load
authz_host.load
authz_user.load
autoindex.conf
autoindex.load
deflate.conf
deflate.load
dir.conf
dir.load
env.load
filter.load
headers.load
http2.conf
http2.load
mime.conf
mime.load
mpm_event.conf
mpm_event.load
negotiation.conf
negotiation.load
reqtimeout.conf
reqtimeout.load
rewrite.load
setenvif.conf
setenvif.load
socache_shmcb.load
ssl.conf
ssl.load
status.conf
status.load
Is there any way to further improve the directives?
FYI: I still did not tackle the DOS and DDOS attack as well as still did not create a separate user (Other then root), as well as did not enabled the UFW.

Apache stopping all servers when one has a problem

I am relatively new to Apache and am having a problem where all virutal servers are being stopped when one of them has a problem. We had a problem which brought down our backend service (testing.my-domain-name.ch) for testing and caused a 502 error, and apache delivered that same error for our production facility (www.my-domain-name.ch), even though it was still running (verified by using a wget).
My httpd.conf file looks like:
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 120
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
Listen 0.0.0.0:80
Include conf.modules.d/*.conf # Everything in conf.d is at default values
User apache
Group apache
ServerAdmin root#localhost
ServerName test.my-domain-name.ch:80
UseCanonicalName Off
#
<Directory />
Options FollowSymLinks
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
#
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf # Everything in conf.d is at default values
<VirtualHost *:80>
ServerName my-domain-name.ch
Redirect permanent / https://www.my-domain-name.ch/
</VirtualHost>
<VirtualHost *:80>
ServerName production.my-domain-name.ch
ServerAlias www.my-domain-name.ch
DocumentRoot /var/www/node/prod/production
SSLProxyEngine on
ProxyPass /account/ https://www.account-server.com/account/ retry=1
ProxyPassReverse /account/ https://www.account-server.com/account/
ProxyPass /oauth2/ https://www.account-server.com/oauth2/ retry=1
ProxyPassReverse /oauth2/ https://www.account-server.com/oauth2/
ProxyPass / http://localhost:3001/ retry=1 Keepalive=on
ProxyPassReverse / http://localhost:3001/
CustomLog logs/access_log_production "%v %h %l %u %t \"%r\" %>s %b production"
<Directory /var/www/node/prod/production>
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName test.my-domain-name.ch
DocumentRoot /var/www/node/test/testing
SSLProxyEngine on
ProxyPass /account/ https://www.account-server.com/account/ retry=1
ProxyPassReverse /account/ https://www.account-server.com/account/
ProxyPass /oauth2/ https://www.account-server.com/oauth2/ retry=1
ProxyPassReverse /oauth2/ https://www.account-server.com/oauth2/
ProxyPass / http://localhost:3000/ retry=1 Keepalive=on
ProxyPassReverse / http://localhost:3000/
CustomLog logs/access_log_staging "%v %h %l %u %t \"%r\" %>s %b staging"
<Directory /var/www/node/test/testing>
AllowOverride All
</Directory>
</VirtualHost>
The error message that I am getting is:
[Mon Sep 07 11:47:35.784583 2020] [proxy_http:error] [pid 46205] [client 10.19.65.68:44942] AH01114: HTTP: failed to make connection to backend: localhost
[Mon Sep 07 11:47:46.049988 2020] [proxy:error] [pid 46206] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3000 (localhost) failed
Can anybod help me understand how to configure things where when one virtual host goes down, it doesn't bring down the others?
Many thanks in advance.

Nic3500 - thank you for your answer:
You cannot, as long as you have all the configuration in the same files, running under the same process. If you want to have a test setup, it should be under a separate Apache configuration. You can run two instances with different configurations on the same machine, as long as you do not use the same port for both. Or setup a VM into which you can put your test configuration (or docker, or ...). You could run apache -t to check your configuration before restarting it.

Apache serving name-based virtual Host from server hostname (but shouldn't be)

I have an Apache httpd server (2.4.6) running on Centos, serving several Name-based virtual hosts. The fqdn / hostname of the server should be serving no content, but it redirects to one of the Name-based virtual hosts and I don't understand why, or how to stop it.
In the configs below, a request to http://host.mydomain.org/ is redirected to http://www.customer.co.uk/.
Any ideas as to why, and the right way to stop it appretiated.
My httpd.conf is:
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root#xxx.org
ServerName host.mydomain.org:80
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all denied
</Directory>
<Directory "/var/www/html">
Options None
AllowOverride None
Require all denied
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all denied
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset ISO-8859-1
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
TraceEnable Off
ServerTokens Prod
IncludeOptional conf.d/*.conf
An example virtual host is:
<VirtualHost *:80>
DocumentRoot /home/xxx/customer/docs
ServerName www.customer.co.uk
ErrorLog /home/xxx/customer/logs/error_log
CustomLog /home/xxx/customer/logs/access_log combined
<Directory /home/xxx/customer/docs>
AllowOverride None
Options None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName customer.co.uk
Redirect permanent / http://www.customer.co.uk/
</VirtualHost>
<VirtualHost *:80>
ServerName www.customer.mydomain.org
Redirect permanent / http://www.customer.co.uk/
</VirtualHost>
Thanks very much
Kevin

The first VirtualHost in the configuration file has the highest priority and can be seen as the default or primary server. That means that if a request is received that does not match one of the specified ServerName or ServerAlias directives, it will be served by this first <VirtualHost>.
You can prevent this by adding this (for example) as the first VirtualHost:
<VirtualHost *:80>
ServerName default
RewriteEngine On
RewriteRule ^ - [F]
</VirtualHost>

How to add a second site in httpd.conf

I'm using the following configuration of httpd.conf in my CentOs 7 Apache server to run "site1":
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root#localhost
ServerName locahost:80
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html/site1"
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
<Directory "/var/www/html/site1">
Options FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf
When I access "http://localhost", site1 and its subpages/subfolders work correctly.
I want now to be able to display a second website: when accessing "http://localhost/site2", I want to display the content of a file "test.html" saved under "/test"; how should I edit the httpd.conf to make it work?

that's not a different site, it is a different directory. A different site would involve a different hostname.
Since you already have DocumentRoot "/var/www/html/site1 and you don't seem to want to create a new virtualhost you can point to a new/different directory with Alias
Also you just want site2 to load test.html under /test/ If I understood correctly when visited, just add the proper DirectoryIndex directive to it.
Here it is:
Alias /site2 /var/www/html/site2
<Directory /var/www/html/site2>
DirectoryIndex /test/test.html
</Directory>
For this to work you need these two modules:
mod_alias
mod_dir (but you may already have this one as you are already using DirectoryIndex directive)
You could also mkdir site2 under site1 but, this may look cleaner.

Apache not recognizing directories other than root

When trying to load anything other than www.example.com (for example, www.example.com/something), I get an error from apache indicating that 'the requested URL /something was not found on this server'.
Any ideas on what the issue may be?
I'm running a laravel app on Digital Ocean - LAMP/Ubuntu.
My apache2.conf file (stripped of comments):
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
RewriteEngine On
RewriteBase /var/www/html/scheduleify/app/public
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
Include /etc/phpmyadmin/apache.conf
EDIT: Also the sites-enabled conf file:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/scheduleify/public
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Apache is a web server -- its main job is to serve files to the web. If it's telling you there's no file at
http://example.com/foo/baz/bar
then there's no file there. It's working as it should
Laravel is a PHP application that works by running the file index.php. If
http://example.com/
http://example.com/index.php
is rendering correctly via Laravel, that means Laravel is working.
In order to make URLs like
http://example.com/foo/baz/bar
render via Laravel, Laravel includes a .htaccess file in the public folder that redirects most if not all all URLs to index.php. It's this .htaccess file that's responsible for turning
http://example.com/foo/baz/bar
into
http://example.com/index.php/foo/baz/bar
In a working system this happens behind the scenes. i.e. from a user looking at their browser point of view, the URL remains http://example.com/foo/baz/bar
If URLs in the second form are rendering on your server, then it's almost certainly an .htaccess issue. In whichever <Directory node you're configuring your webroot, you want something like this
AllowOverride All
This tells Apache "hey, let the user use a .htaccess file to reconfigure everything you can configure from an .htaccess file. You can find more information about AllowOverride on the apache docs site.