Which Apache modules are safe to disable?

Solution 1:

Here is a webpage which details which Apache modules can be safely removed. He considers the most common use cases but you should always check afterwards and reenable what you do need:

This is the list of modules that the author left enabled:

core_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
mpm_event_module (static)
http_module (static)
so_module (static)
auth_basic_module (shared)
authn_file_module (shared)
authz_host_module (shared)
authz_user_module (shared)
expires_module (shared)
deflate_module (shared)
headers_module (shared)
dir_module (shared)
mime_module (shared)
setenvif_module (shared)
rewrite_module (shared)
proxy_module (shared)
proxy_fcgi_module (shared)

The page contains details for CentOS and also Ubuntu server. I highly recommend reading the entire page as it contains details as to why certain packages were left or were disabled, as well as tips. Your use case is likely not exactly as the author's use case, so be sure to use discretion and proper judgement. And test!

Solution 2:

I would disable these ones:

ldap_module
authnz_ldap_module
logio_module
usertrack_module
dav_module
status_module
info_module
dav_fs_module
userdir_module
proxy_module
proxy_balancer_module
proxy_ftp_module
proxy_http_module
proxy_ajp_module
proxy_connect_module
dav_svn_module
authz_svn_module

And maybe:

autoindex_module
perl_module
ssl_module

As mentioned though, check which ones you're actually using, and disable the others. If you disable them just by commenting the line in the config file, then you can easily re-enable them if something breaks without a certain module.