Changing Apache to a different TCP port makes room for another web service on 80 or 443, exposes a site on an internal-only or high port, or separates test traffic from the public listener. The chosen port is part of the URL clients connect to, so the site will appear unreachable if Apache and the published endpoint do not match.
Apache opens network sockets from the Listen directive, and the <VirtualHost> blocks are matched only after a request arrives on one of those address-and-port pairs. On Debian and Ubuntu packages, the active listeners are usually defined in /etc/apache2/ports.conf while site definitions under /etc/apache2/sites-available and /etc/apache2/sites-enabled must use the same port in their <VirtualHost *:PORT> lines.
A complete port change also requires matching firewall and load-balancer rules, and any HTTPS listener moved away from 443 should include the protocol on the Listen line, such as Listen 8443 https. Apache can apply many pure port changes with a restart, but the upstream documentation notes that overlapping old and new listeners such as Listen 127.0.0.1:80 to Listen 80 can require a full stop and start because the old socket stays bound during restart.
Steps to change the listen port for Apache:
- Open a terminal on the Apache host with an account that can use sudo.
- Locate the active Listen directives in the loaded Apache configuration.
$ sudo grep --recursive --line-number --extended-regexp '^[[:space:]]*Listen[[:space:]]+' /etc/apache2/ /etc/apache2/ports.conf:5:Listen 80 /etc/apache2/ports.conf:8: Listen 443 /etc/apache2/ports.conf:12: Listen 443
On RHEL-family systems, the listener is usually defined in /etc/httpd/conf/httpd.conf or an included file under /etc/httpd/conf.d/.
- Confirm that the new TCP port is not already in use.
$ sudo ss -H -ltn sport = :8080
No output means the port is currently free.
- Open the file that defines the Apache listeners.
$ sudoedit /etc/apache2/ports.conf
- Replace the existing Listen line with the new port number.
Listen 8080
Replace the old port instead of adding a second Listen line when the goal is to move the site rather than serve both ports.
If the HTTPS listener is moved off 443, use the protocol form such as Listen 8443 https so Apache treats the non-standard port as HTTPS.
- Find enabled <VirtualHost> blocks that still reference the old port.
$ sudo grep --dereference-recursive --line-number '<VirtualHost' /etc/apache2/sites-enabled/ /etc/apache2/sites-enabled/000-default.conf:1:<VirtualHost *:80>
- Edit each matching site definition so the <VirtualHost> port matches the new listener.
$ sudoedit /etc/apache2/sites-available/000-default.conf
<VirtualHost *:8080> ##### snipped ##### </VirtualHost>
Use the same new port in every enabled site that should answer on that listener, such as <VirtualHost *:8443> for a non-standard HTTPS port.
- Test the Apache configuration before replacing the live listener.
$ sudo apache2ctl configtest Syntax OK
Use sudo apachectl -t or sudo httpd -t on platforms that ship those control names instead.
Related: How to test Apache configuration
- Restart the Apache service to apply the new listener.
$ sudo systemctl restart apache2
A regular restart is a safe default for Listen changes, and it avoids restart edge cases where overlapping old and new listeners can block the new bind.
- Confirm that the Apache service is active after the restart.
$ sudo systemctl is-active apache2 active
On RHEL-family systems, the unit name is usually httpd.
- Allow inbound traffic to the new port in the active firewall if external clients must reach it.
$ sudo ufw allow 8080/tcp Rules updated Rules updated (v6)
If UFW is not managing the host, open the port in the active firewall, security group, or load balancer instead.
- Verify that Apache is listening on the new port.
$ sudo ss -H -ltn sport = :8080 LISTEN 0 511 0.0.0.0:8080 0.0.0.0:*
On SELinux enforcing hosts, allow the new port with semanage, for example sudo semanage port -a -t http_port_t -p tcp 8080.
- Confirm a successful HTTP response on the new port.
$ curl --silent --show-error --head http://127.0.0.1:8080/ HTTP/1.1 200 OK Date: Thu, 09 Apr 2026 14:37:02 GMT Server: Apache/2.4.58 (Ubuntu) Content-Type: text/html
Remote clients must include the new port in the URL, such as http://server.example.com:8080/.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
