If you don’t want to use .htaccess, you’ll discover that things aren’t working anywhere near as well as you expected.
Here’s what you would EXPECT to work (Ubuntu 16.04 example, YMMV):
root@api:~# cat /etc/apache2/sites-enabled/001-api.example.com.conf
<VirtualHost *:80>
ServerName api.example.com
ServerAdmin user@example.com
DocumentRoot /usr/local/api/website
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /usr/local/api/website>
Require all granted
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ /index.php [QSA,L]
</VirtualHost>
Unfortunately, when you do that, everything 404’s, because, Apache is now returning a correct SCRIPT_NAME, which is also the same as REQUEST_URI, which is then deleted from itself and… everything 404s.
This has been an issue for a while, and isn’t thought of being a bug, and much Googling hasn’t turned up this simple answer, so, here it is:
$_SERVER['SCRIPT_NAME'] = "";
That’s it. Add that to the start of your index.php, and it fixes all your problems, without needing to turn on AllowOverrides (which a lot of people - including myself - don’t like doing at all!).
Enjoy!