Here's some of the things i used to set up and harden my Apache, with both performance and security in mind.
This serve as a brain dump and hopefully it help you.
ServerTokens to set from default "Full" to "Prod" so that amount of information shown by Apache is reduced.
ServerSignature to remain as default "Off" to disable version and patch level display
keepAlive to remain as default "On" so that long-lived HTTP sessions will be allowed for multiple requests to be sent over the same TCP connections.
AllowOverride to set from default "All" to "None" to prevent users from setting up .htaccess files which can override default security features.
ScriptAlias is to be commented and to disable the use of cgi-bin. Recommended to use "Directory", "SetHandler" and "Options" instead if required.
To place the "%D" (time taken to serve the request, in microseconds) in Log format. It will be helpful during troubleshooting time.
Only recommend to compile mod_ssl statiscally into Apache core. This is more for performance since nowsaday, we rely more on HTTPS services.
For at least minimum control over the Apache, enable the following modules like "mod_authz_host" for access control, "mod_dir" for directory control and "mod_rewrite" for filtering of rogue web entities.
Restrict what Apache would listen on to provide its services. e.g. Listen
Use group or distribution email address for "ServerAdmin".
Set a timeout limit ("Timeout") for server to fail a request after waiting for a number of seconds. Default is 300.
Limit the number of requests allowed per connection ("MaxKeepAliveRequests") when KeepAlive is on. Default is 100.
Limit the time a server will wait for subsequent request ("KeepAliveTimeout") before terminating the connection. Default is 15 seconds. This one will affect how much resource Apache will hoard.
Enable "mod_deflate" for better throughput especially in high-volume web services.
To enable compression within the "vhost" or "location" for outgoing traffic.
SetOutputFilter
DEFLATE
Set TraceEnable to "off"
Configure the SSLCipherSuite to use only the better cipher, e.g SSLCipherSuite ALL:!ADh:!SSLv2:!EXPORT56:!EXPORT40:!RC4:!DES:+HIGH
Also set SSLProtocol all -SSLv2 to disable SSL version 2.
Remove contents in cgi-bin, htdocs, icons, extra and original if not required.
If you want to hide and mask away Apache identity further, update in ap_release.h to the following
#define AP_SERVER_BASEVENDOR “Restricted Server”
#define AP_SERVER_BASEPRODUCT “Secure Web Server”
Remove the welcome page if it exist.