I'd be interested to hear exactly what default configuration violates GDPR, as that wasn't something I'd heard before. However, even if that is the case, that would imply that the defaults should be changed.
Imagine that you run a workplace where floor space is relatively expensive. To avoid increasing the floor space, you determine exactly how wide each hallway must be, exactly how much space is required, and build everything to that specification. Your hiring decisions take the weight of an applicant into account, so that nobody will be too large for those hallways. Then a law comes along saying that your coal mine is dangerous, and your use of child labor is unethical. "But look at the cost!", you cry, "I can't afford to enlarge every tunnel to accommodate full-grown adults!" But there was no reason the tunnels couldn't have been built larger in the first place.
There was no reason why the web and the internet could not have chosen to respect privacy by default, and thereby avoid the current costs of changing their software and business models. If it is true that the default apache configurations violate privacy standards, just as any configuration of Google Analytics violates privacy standards, then that is a sign of just how much the regulation is needed.
It would appear public IP addresses are PII. Apache (and most web servers) log those by default.
A case can be made, on a site-by-site basis, that those are necessary for providing the functionality of the site. But that's a hard case to make if the logs are never actually read, and then if they're collected for that purpose, timely deletion is important (and unless your host also configures log rotation and disposal, timely deletion isn't happening).
I'm pretty sure all of this has to be declared in a privacy declaration anyway, even if they are collected for site operations purposes and deleted in a timely fashion. With all these constraints, probably safer to run in a privacy-configured Docker in one of the big Cloud hosts than to stand up one's own apache install.
Thank you, that was an aspect I hadn't considered. That said, I'm not sure how much I agree with the conclusion of this particular answer. My understanding is that IP addresses are only considered personal data if they either uniquely identify a person (e.g. a static IP address), or can be joined with additional available data to uniquely identify (e.g. a dynamic IP address logged by somebody who also has logs on the dynamic IP assignment).
In addition, that there is an exception allowing the collection of personal data for legitimate interests without prior consent. While that has been erroneously argued to enable a business model (e.g. Facebook's ongoing collection), server security by applying IP address bans would be be a more solid case [1].
