You want to eliminate all modules that you don’t need in order to reduce the potential exposure to security holes. What modules do you really need?

For Apache 1.3, you can run a bare-bones server with just three modules (actually, you can get away with not running any modules at all, but it is not recommended):

% ./configure --disable-module=all --enable-module=dir \
>--enable-module=mime --enable-module=log_config \

For Apache 2.x, this is slightly more complicated, as you must individually disable modules you don’t want:

% ./configure --disable-access \
> --disable-auth --disable-charset-lite \
> --disable-include --disable-log-config --disable-env --disable-setenvif \
> --disable-mime --disable-status --disable-autoindex --disable-asis \
> --disable-cgid --disable-cgi --disable-negotiation --disable-dir \
>--disable-imap --disable-actions --disable-alias --disable-userdir

Note that with 2.x, as with 1.3, you may wish to enable mod_dir, mod_mime, and mod_log_config, by simply leaving them off of this listing.

A frequent security recommendation is that you eliminate everything that you don’t need; if you don’t need something and don’t use it, then you are likely to overlook security announcements about it or forget to configure it securely. The question that is less frequently answered is exactly what you do and don’t need.

A number of Apache package distributions come with everything enabled, and people end up running modules ...