How to Upgrade Apache on Debian

Apache HTTP Server powers a significant portion of websites worldwide, handling everything from personal blogs to enterprise applications. If you run Apache on Debian and want access to the latest features, security patches, and performance improvements before they reach the default repositories, you can upgrade to a newer version using Ondřej Surý’s third-party repository. By the end of this guide, you will have the latest Apache release installed, verified, and configured with proper firewall rules.

This guide covers adding the Surý Apache repository using the modern DEB822 format, upgrading Apache, verifying the installation source, and configuring UFW firewall rules. Additionally, you will learn how to update Apache from the third-party repository and how to revert to Debian’s default version if needed.

Choose Your Apache Installation Method

Before proceeding, consider whether you need the third-party repository. Debian’s default repositories provide stable, security-patched Apache versions that work well for most production environments.

Method	Channel	Version	Updates	Best For
Default Repositories	Debian Repos	Stable (security-patched)	Automatic via apt upgrade	Production servers prioritizing stability
Surý Repository	packages.sury.org	Latest upstream	Automatic via apt upgrade	Users needing newest features or modules

We recommend the default repository for most production servers because it receives Debian security team patches and integrates seamlessly with system updates. Only use the Surý repository if you specifically need features unavailable in your Debian version’s default Apache package.

Update Debian Before Apache Upgrade

Before adding any third-party repository, ensure your system packages are current. This prevents dependency conflicts and ensures compatibility with the new Apache version. First, refresh your package index:

sudo apt update

Next, upgrade all installed packages to their latest versions:

sudo apt upgrade

Add the Surý Apache Repository

Ondřej Surý maintains a well-known third-party repository that provides updated Apache packages for Debian. This section walks through adding the repository using the modern DEB822 .sources format, which offers clearer syntax and better maintainability than legacy .list files.

Install Prerequisite Packages

First, install the packages required for downloading and verifying the repository signature:

sudo apt install ca-certificates curl gnupg lsb-release -y

These packages provide SSL certificate validation (ca-certificates), file downloading (curl), GPG key handling (gnupg), and release detection (lsb-release) needed to securely add external repositories.

Import the GPG Signing Key

Next, download and install the Surý repository keyring package, which places the GPG key in the correct location:

curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
sudo dpkg -i /tmp/debsuryorg-archive-keyring.deb

As a result, this installs the debsuryorg-archive-keyring package, which manages the GPG key at /usr/share/keyrings/debsuryorg-archive-keyring.gpg.

Create the Repository Configuration

Then, add the Apache repository using the DEB822 .sources format:

cat <<EOF | sudo tee /etc/apt/sources.list.d/apache2-sury.sources
Types: deb
URIs: https://packages.sury.org/apache2/
Suites: $(lsb_release -cs)
Components: main
Architectures: $(dpkg --print-architecture)
Signed-By: /usr/share/keyrings/debsuryorg-archive-keyring.gpg
EOF

This guide uses DEB822 .sources files for third-party repositories to keep APT configuration consistent and readable. For format details, see the DEB822 format reference.

Update the Package Index

After adding the repository, refresh your package cache so APT recognizes the new source:

sudo apt update

The output should include a line showing the Surý repository was fetched successfully:

Get:x https://packages.sury.org/apache2 [your-release] InRelease [xxxx B]
Get:x https://packages.sury.org/apache2 [your-release]/main amd64 Packages [xxxx B]

Upgrade Apache

With the repository configured, install or upgrade Apache. Running the install command updates an existing installation to the latest version from the Surý repository:

sudo apt install apache2

During this process, APT automatically resolves dependencies and upgrades Apache along with its related modules.

Verify Apache Installation Source and Version

After installation, confirm that Apache is running from the Surý repository rather than the default Debian repositories. The apt-cache policy command shows which repository provides the installed package:

apt-cache policy apache2

Expected output confirming the Surý repository as the source:

apache2:
  Installed: 2.4.x-1+0~20xxxxxx.xx+debianXX~1.gbpxxxxxx
  Candidate: 2.4.x-1+0~20xxxxxx.xx+debianXX~1.gbpxxxxxx
  Version table:
 *** 2.4.x-1+0~20xxxxxx.xx+debianXX~1.gbpxxxxxx 500
        500 https://packages.sury.org/apache2 [your-release]/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.x-x 500
        500 http://deb.debian.org/debian [your-release]/main amd64 Packages

The version numbers and release names are placeholders. Your output will show the actual version and your Debian release codename (bullseye, bookworm, or trixie).

Additionally, you can verify the Apache version directly:

apache2 -v

Expected output:

Server version: Apache/2.4.x (Debian)
Server built:   20xx-xx-xxTxx:xx:xx

Check Apache Service Status

After upgrading, verify that Apache is running correctly using systemctl:

systemctl status apache2

Expected output showing the service is active:

● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; preset: enabled)
     Active: active (running) since Xxx 20xx-xx-xx xx:xx:xx UTC; xh ago
       Docs: https://httpd.apache.org/docs/2.4/
   Main PID: xxxx (apache2)
      Tasks: x (limit: xxxx)
     Memory: xxM
        CPU: xxxms
     CGroup: /system.slice/apache2.service
             ├─xxxx /usr/sbin/apache2 -k start
             └─xxxx /usr/sbin/apache2 -k start

If Apache is not running, start it manually:

sudo systemctl start apache2

To ensure Apache starts automatically on boot:

sudo systemctl enable apache2

Configure UFW Firewall for Apache

If you use UFW (Uncomplicated Firewall) on your Debian system, you need to allow web traffic through the firewall. Apache automatically registers application profiles with UFW during installation, making configuration straightforward.

Install and Enable UFW

If UFW is not installed on your system, install it first:

sudo apt install ufw

Critical: If you are connected via SSH, allow SSH access before enabling UFW to prevent lockout: sudo ufw allow ssh

After ensuring SSH access is allowed, enable UFW:

sudo ufw enable

View Apache UFW Profiles

List the available Apache application profiles:

sudo ufw app list

You will see three Apache-related profiles:

• Apache: Opens port 80 (HTTP only)
• Apache Secure: Opens port 443 (HTTPS only)
• Apache Full: Opens both ports 80 and 443

Allow Apache Traffic

For a server without SSL configured yet, allow HTTP traffic:

sudo ufw allow 'Apache'

Alternatively, for servers with SSL certificates, use the full profile instead:

sudo ufw allow 'Apache Full'

Finally, verify the firewall rules are active:

sudo ufw status numbered

Expected output showing Apache rules:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] Apache                     ALLOW IN    Anywhere
[ 3] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 4] Apache (v6)                ALLOW IN    Anywhere (v6)

For a complete guide on firewall configuration, see our UFW installation guide for Debian.

Manage Apache Updates

With the Surý repository configured, Apache updates arrive through the standard APT upgrade process. To update only Apache without upgrading other packages, use the --only-upgrade flag:

sudo apt update
sudo apt install --only-upgrade apache2

The --only-upgrade flag ensures APT upgrades only the named package without installing it if it is missing or upgrading unrelated packages.

Troubleshooting Apache Issues

Apache Fails to Start After Upgrade

If Apache fails to start after upgrading, check the error log for details:

sudo journalctl -xeu apache2

For example, a common error is a port conflict:

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

This means another service is using port 80. Find the conflicting process using lsof (install it first if needed):

sudo apt install lsof -y
sudo lsof -i :80

Example output showing Nginx is using the port:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   1234 root    6u  IPv4  12345      0t0  TCP *:http (LISTEN)

Once identified, stop the conflicting service and then start Apache:

sudo systemctl stop nginx
sudo systemctl start apache2

Configuration Syntax Errors

Before restarting Apache, always test your configuration for syntax errors:

sudo apachectl configtest

Expected output for valid configuration:

Syntax OK

However, if errors appear, the output indicates the file and line number containing the problem. In that case, fix the configuration and test again before restarting.

Module Loading Issues

After upgrading, some modules may need to be re-enabled. List currently enabled modules:

apache2ctl -M

To enable a missing module (for example, rewrite), run:

sudo a2enmod rewrite
sudo systemctl restart apache2

Remove the Surý Repository and Revert to Default Apache

If you need to revert to Debian’s default Apache version, follow these steps to remove the Surý repository and reinstall from the official repositories.

First, stop the Apache service:

sudo systemctl stop apache2

Next, remove the installed Apache packages:

sudo apt remove --purge apache2 apache2-* -y
sudo apt autoremove -y

The autoremove command cleans up orphaned dependencies that were installed with Apache.

Then, remove the repository configuration file:

sudo rm /etc/apt/sources.list.d/apache2-sury.sources

Also, remove the GPG keyring package:

sudo apt remove --purge debsuryorg-archive-keyring -y

Afterward, refresh the package index to clear cached repository data:

sudo apt update

At this point, verify that the Surý repository is no longer available:

apt-cache policy apache2

Expected output showing only the default Debian repository:

apache2:
  Installed: (none)
  Candidate: 2.4.x-x
  Version table:
     2.4.x-x 500
        500 http://deb.debian.org/debian [your-release]/main amd64 Packages

Finally, reinstall Apache from the default repositories:

sudo apt install apache2

Further Reading and Resources

Explore these related guides to enhance your Apache deployment on Debian:

• Install Apache on Debian: Complete installation guide for setting up Apache from scratch.
• Secure Apache with Let’s Encrypt on Debian: Add free SSL certificates to your Apache server.
• Install ModSecurity with Apache on Debian: Add web application firewall protection.
• Install WordPress with Apache on Debian: Deploy WordPress on your Apache server.

For official Apache documentation and changelog information, visit the Apache HTTP Server Documentation and the Surý Apache repository.

Conclusion

You now have Apache upgraded to the latest version from the Surý repository, with proper verification and firewall configuration. The DEB822 repository format ensures clean APT configuration, while the update commands keep your installation current. If you encounter compatibility issues, the removal section provides a clear path back to Debian’s default Apache packages without residual configuration files.