diff --git a/ceilometer/templates/bin/_ceilometer-api.sh.tpl b/ceilometer/templates/bin/_ceilometer-api.sh.tpl
index cdb02f798e..de3a742cfa 100644
--- a/ceilometer/templates/bin/_ceilometer-api.sh.tpl
+++ b/ceilometer/templates/bin/_ceilometer-api.sh.tpl
@@ -20,17 +20,29 @@ set -ex
 COMMAND="${@:-start}"
 
 function start () {
+  {{- if .Values.conf.software.apache2.a2enmod }}
+    {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+    {{- end }}
+  {{- end }}
+
+  {{- if .Values.conf.software.apache2.a2dismod }}
+    {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+    {{- end }}
+  {{- end }}
+
   if [ -f /etc/apache2/envvars ]; then
     # Loading Apache2 ENV variables
     source /etc/apache2/envvars
   fi
 
   # Start Apache2
-  exec apache2 -DFOREGROUND
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
 }
 
 function stop () {
-  apachectl -k graceful-stop
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
 }
 
 $COMMAND
diff --git a/ceilometer/templates/configmap-etc.yaml b/ceilometer/templates/configmap-etc.yaml
index c48a3b8b11..3e556ddd52 100644
--- a/ceilometer/templates/configmap-etc.yaml
+++ b/ceilometer/templates/configmap-etc.yaml
@@ -126,5 +126,8 @@ data:
   gnocchi_resources.yaml: {{ toYaml .Values.conf.gnocchi_resources | b64enc }}
   meters.yaml: {{ toYaml .Values.conf.meters | b64enc }}
   polling.yaml: {{ toYaml .Values.conf.polling | b64enc }}
+{{- if .Values.conf.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end}}
 {{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_ceilometer "key" "wsgi-ceilometer.conf" "format" "Secret" ) | indent 2 }}
 {{- end }}
diff --git a/ceilometer/templates/deployment-api.yaml b/ceilometer/templates/deployment-api.yaml
index 8022f7718a..33fa92b8d7 100644
--- a/ceilometer/templates/deployment-api.yaml
+++ b/ceilometer/templates/deployment-api.yaml
@@ -105,9 +105,15 @@ spec:
               subPath: gnocchi_resources.yaml
               readOnly: true
             - name: ceilometer-etc
-              mountPath: /etc/apache2/conf-enabled/000-default.conf
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/000-default.conf
               subPath: wsgi-ceilometer.conf
               readOnly: true
+{{- if .Values.conf.security }}
+            - name: ceilometer-etc
+              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+              subPath: security.conf
+              readOnly: true
+{{- end }}
             - name: ceilometer-bin
               mountPath: /tmp/ceilometer-api.sh
               subPath: ceilometer-api.sh
diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml
index fc3cce0fc7..92ec60865b 100644
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@@ -87,6 +87,81 @@ network:
 ipmi_device: /dev/ipmi0
 
 conf:
+  security: |
+    #
+    # Disable access to the entire file system except for the directories that
+    # are explicitly allowed later.
+    #
+    # This currently breaks the configurations that come with some web application
+    # Debian packages.
+    #
+    #<Directory />
+    #   AllowOverride None
+    #   Require all denied
+    #</Directory>
+
+    # Changing the following options will not really affect the security of the
+    # server, but might make attacks slightly more difficult in some cases.
+
+    #
+    # ServerTokens
+    # This directive configures what you return as the Server HTTP response
+    # Header. The default is 'Full' which sends information about the OS-Type
+    # and compiled in modules.
+    # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+    # where Full conveys the most information, and Prod the least.
+    ServerTokens Prod
+
+    #
+    # Optionally add a line containing the server version and virtual host
+    # name to server-generated pages (internal error documents, FTP directory
+    # listings, mod_status and mod_info output etc., but not CGI generated
+    # documents or custom error documents).
+    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+    # Set to one of:  On | Off | EMail
+    ServerSignature Off
+
+    #
+    # Allow TRACE method
+    #
+    # Set to "extended" to also reflect the request body (only for testing and
+    # diagnostic purposes).
+    #
+    # Set to one of:  On | Off | extended
+    TraceEnable Off
+
+    #
+    # Forbid access to version control directories
+    #
+    # If you use version control systems in your document root, you should
+    # probably deny access to their directories. For example, for subversion:
+    #
+    #<DirectoryMatch "/\.svn">
+    #   Require all denied
+    #</DirectoryMatch>
+
+    #
+    # Setting this header will prevent MSIE from interpreting files as something
+    # else than declared by the content type in the HTTP headers.
+    # Requires mod_headers to be enabled.
+    #
+    #Header set X-Content-Type-Options: "nosniff"
+
+    #
+    # Setting this header will prevent other sites from embedding pages from this
+    # site as frames. This defends against clickjacking attacks.
+    # Requires mod_headers to be enabled.
+    #
+    #Header set X-Frame-Options: "sameorigin"
+  software:
+    apache2:
+      binary: apache2
+      start_parameters: -DFOREGROUND
+      site_dir: /etc/apache2/sites-enable
+      conf_dir: /etc/apache2/conf-enabled
+      mods_dir: /etc/apache2/mods-available
+      a2enmod: null
+      a2dismod: null
   ceilometer:
     DEFAULT:
       event_dispatchers: