The essential resource for anyone running an Apache server, or anyone responsible for running Apache-based services. en-gb http://www.apacheweek.com/ Copyright n th, Red Hat Europe editors@apacheweek.com (Mark Cox) webadmin@apacheweek.com (Mark Cox) Apache in the News 2000 All the important news stories about Apache from the year 2000 Apache in the News 2000 Since becoming the #1 Web server, Apache has featured in a number of reviews and articles. Here are the ones for the year 2000 If you have seen a story about Apache on the Web or in the press let us know so that we can include it here. InfoWorld.com, 17th November 2000 "Brian Behlendorf: Apache co-founder talks about open source" "the fact that we don't have a multibillion-dollar marketing organization means that, sure, Microsoft is going to be able to claim things or do things that we can't, but that hasn't hurt us so far." InfoWorld.com, 13th November 2000 "Apache founders hit Vegas in search of cash" "Behlendorf said the ASF may need to look for a little cash to keep up with the demands that developing the leading Web server requires" Apache Week, 3rd November 2000 "Report from ApacheCon Europe 2000" " As in all conferences, there were various technical glitches when presentation laptops froze and batteries ran out, some inexperienced speakers, and not enough seats but these were all minor issues considering the excellent detailed technical knowledge that was imparted by the speakers." Apache Today, 30th October 2000 "Apache Guide: ApacheCon Europe" "Last week, I was in London for ApacheCon 2000. In a break from my usual subjects, this will be a brief overview of the conference, touching on the highlights and some of the things that were talked about there." NetworkWorldFusion, 26th October 2000 "Tips on pitching Apache to the big wigs" "Apache cares about trademarks and it's helped us maintain a pretty good product," Behlendorf said. NetworkWorldFusion, 25th October 2000 "IBM pitches its open source side" "IBM Tuesday set out its open source agenda at ApacheCon Europe 2000. The message seemed to boil down to the notion that in a networked world, open source is good and IBM not only knows that but embraces the open-source programming community." NetworkWorldFusion, 24th October 2000 "Sun says Java moving towards full open source" "Sun is moving toward making its Java technology fully open source, a company executive said Tuesday, addressing an audience of programmers here at the ApacheCon Europe 2000." Network Computing, October 2000 "The 10 Most Important Products of the Decade" "...Apache Web Server earns its place for changing the rules on the server side. The future of Apache hinges on its ability to function as an e-commerce server. If the past five years are any indication, Apache Web Server will deliver the whole shopping cart--and probably sooner than its competitors do." InfoWorld, October 2000 "E-business innovators" "By general acclaim, it has done more to stimulate Web development -- and therefore e-commerce -- than any other Web-based server." Edd Dumbill's Weblog (O'Reilly) , 10th July 2000 "Dynamics of the Apache XML Project" Edd Dumbill, editor of XML.com, writes about the "Dynamics of the Apache Group" in his Weblog. The focus of the article is on news that the Apache XML project could create another parser and looks at the the internal dynamics of the group members and some of the conflicts. "IBM and Lotus in particular are responsible for the XML parser, Xerces, and the XSLT processor, Xalan. Sun also play a significant part in Apache's Java projects. Though nobody has suggested that Apache is in any way in the sway of these organizations as a consequence of their donations, it seems inevitable that the corporate and hacker cultures may well clash. This weekend seems a good example of this." Qube Corner, 26th June 2000 "AOLserver faster than Apache?" Qube Quorner reveal that Apache 1.3.12 comes second to AOLserver 3.0 in terms of requests/second and transfer speeds. Benchmarks do not give a true picture of the speed of a web server, since they provide an environment unlike the real use of the software. Commercial software is often tuned to perform well in benchmarks, so a good performance simply indicates that the software works well for that benchmark, not that it has good real-world performance. News Alert, 20th June 2000 "US Toyota and Lexus dealers adopt Apache technology" Over the last week, there have been a large number of stories about Internet Appliances for both home and business use. An increasing number of these units are now being run on open source platforms such as Linux. Dell have announced that Toyota in the US are to be equipped with Dell PowerApp.web servers to provide customised content to their dealer network. C|Net News.com, 1st June 2000 "IBM donates Net communications technology " As reported by C|Net, the Apache Software Foundation has received technology from IBM which will help developers create services using an open, vendor-neutral process. IBM's Java-built Simple Object Access Protocol (SOAP) will be contributed to the open source Apache XML project. The system provides a simple method of using XML to send message and access web services across distributed networks. "We want to move at Internet speed and respond to the needs of the developer community by making it available to the open-source community," said Marie Wieck, IBM's director of e-markets infrastructure. "It's valuable to further adoption." CNet Investor, 1st June 2000 "Apache Software Foundation join Java commmittee" CNet Investor reported that Sun Microsystems have set up two executive committees to oversee their Java Community Process(SM) community-based Java technology development programmes. The first committee will oversee the Java technologies for the desktop/server space and the other will oversee the Java technologies for the consumer/embedded space. "As is evident by the depth, diversity and strength of the JCP program's Executive Committee members, the future of Java technology specifications is in capable and caring hands," said George Paolini, vice president of Java Community Development at Sun Microsystems, Inc. ZD Net, 18th May 2000 "Red Hat Leads The Way To IA-64 Itanium Linux" Red Hat Inc. this week released public alpha code of a full version of Linux for Intel's new IA-64 Itanium processor. The release of the software combined with the release of Intel's "Itanium Processor Microarchitecture Reference" gives developers access to all the information they need to start working on Itanium development. "On May 17, Red Hat Inc. released an alpha version of a complete IA-64 Linux distribution to developers. This edition, built within the Trillian Project, is the first alpha public code release of a full IA-64 Linux from kernel to drivers to such popular applications as Apache." ZDNet, 4th May 2000 "Picking The Right Web Server Is Key" ZDNet examine web server platforms in their article, "Picking the Right Server is Key". They compare Windows 2000 Advanced Server, Netware 5.1, Red Hat Linux using Apache, Solaris using iPlanet, and Solaris using Apache. "There are other compelling reasons to choose Linux/Apache. For one thing, you'll never find a back door, as with the recent IIS debacle, in open-source code. And it's getting so easy to install that the hardcore Linux gurus are grumbling about dumbing down." SecuritySpace.com, 1st May 2000 "April Web Server Survey" If you are a regular reader of Apache Week you'll know that Apache has been the top web server in all the probe-based web surveys for some time, now with over 60% market share. The April survey from E-Soft also gives some other interesting statistics for modules in use; the most popular being the PHP scripting language in use on 29% of Apache sites. "The Apache module report documents the market share of Apache, internet's most popular web server, for a variety of add-on modules. Since most add on modules modify the web server "signature" that is returned on each web page, we are able to see who's using PHP, perl, SSL mods, language converters, language mods, etc." Userland, 24th April 2000 "Scripting News / Manila" UserLand hosts an interesting open forum about commercial software, which originally started as an email discussion between Dave Winer and Brian Behlendorf. In Dave's own comments he picks out some of the discussion and his own point of view, accusing Apache of being boring. "Apache is like MS-DOS. Lots of people use it, we do too. But where's the Lotus 1-2-3? Apache is boring! Where's the revolution for writers and thinkers?" Linux Today, 21st April 2000 "VNU Net: Apache Server Commentary [Book Review]" A short review of the new book "Apache Server Commentary" is available. The book is aimed at developers and contains source code listings of the Apache server. "This is one in a series of books which sets out to give an insight into the various Open Source products currently on the market. It is aimed at those who either want to write extension modules to Apache or customise the underlying code. In fact, Apache Server Commentary appears to be little more than a reference guide for those who already understand the concept of Apache and just want help on specific modules. It certainly isn't the architectural document I was expecting." InformationWeek.com, 10th April 2000 "Open Source Moves To The Mainstream" The article discusses the secure server survey from e-soft which shows Apache with 63% market share but notes that the "battle over E-commerce territory has been a little more difficult for open source, perhaps an indication that security-minded companies prefer to use commercial products". "One of the leading open-source success stories is the Apache Web server, which for many sites is the backbone of Web applications. Apache is a flagship open-source project, continually developed by a self-selected group of coordinated volunteer programmers. It costs nothing to use. As of March, Apache is deployed on more than 7.8 million domains, or some 60% of Internet Web sites." INRIA, 4th April 2000 "Elliptic Curve Discrete Logarithms: ECC2K-108 - SOLVED!" Apache Week reported in issue 180 on the attempt to solve the Elliptic Curve Challenge from Certicom. The solution was found at the end of March, and the Apache Software Foundation will receive a donation of US$8000 from the prize. "The biggest public-key crypto crack ever has just finished! Certicom have confirmed that the solution is correct." Linux Magazine, April 2000 "Brian Behlendorf on the Apache name" Linux magazine have an interview with Brian Behlendorf, one of the initial Apache group founders. In addition to talking about the founding and sucess of Apache, Brian explains that the Apache name never meant "A patchy server", instead it "just sort of connoted: 'Take no prisoners. Be kind of aggressive and kick some ass.'" "While there would still be a World Wide Web without the Apache Web server, pundits have suggested that it would belong to Microsoft. Since drawing up the plan for the Apache project in 1993, Apache Software Foundation President Brian Behlendorf has helped lead the volunteer development team that proved that you can take on Microsoft and win -- just so long as you change the rules." Linux Magazine, April 2000 "A Conversation With the Man Behind the Animal Books" The article discusses the evolving open source industry and pays particular attention to Apache. "I think Apache plays an enormously important role here. Because it has dominant market share, it keeps the Internet open. I think it's more important for Apache to have dominant market share than for Linux. If Linux is dominant too, that's better, but I'd hate to see us lose Apache. That's a really important battleground." ZD Net - EWeek, 20th March 2000 "Solaris 8 weds reliability to must-have upgrades" PC Week mention Apache being bundled with Solaris in Solaris 8 weds reliability to must-have upgrades. "Apache Web server is also bundled with Solaris 8, but neither PC Week Labs nor Sun recommends its use in high-transaction environments." Slashdot, 18th March 2000 "Reflections On ApacheCon 2000" ASF member Jim Jagielski gives his personal opinion of ApacheCon 2000 in "Reflections on ApacheCon 2000". "It's been a week now since ApacheCon 2000 ended. There's been some discussion over the events, with the release of Apache 2.0a being the main topic of conversation. But AC2K was more than just the venue that 2.0a was announced. It was an important and noteworthy conference in it's own right." NetWorldFusion, 13th March 2000 "The Netware Version Of Apache" The NetWare version of Apache is examined in a Network World Fusion Newsletter. Over the past few years Novell have shipped a couple of different Web servers with NetWare, but now Apache is available for this system. "The NetWare version of Apache 1.3 is still in the "experimental" stage, and it (so far) only runs on NetWare 5 or 5.1. Nevertheless, if you support a major Web site and ... if you want to take advantage of the hundreds of Web server applications available (also for free) for Apache - it would be worth your effort to download and test the new Apache in your environment." Apache Week, 10th March 2000 "Report from ApacheCon 2000" " In total, just over 1000 people attended the conference and this included a large number of Apache Software Foundation members. At the very first session of the conference, the opening plenary, the previous record for the most Apache developers in the same place at the same time was broken." Melbourne Linux Users Group Inc, 10th March 2000 "ApacheCon 2000" The Melbourne Linux Users Group posted a number of pictures from the conference. "The ApacheCon show was very well done. The exhibit floor featured many cool companies and the keynote and PHP presentations I attended were very informative. Here are some pics of the event." Open Source IT, March 2000 "The Buzz At Apache Conference: World Domination" ApacheCon 2000 is still in the news as Open Source IT reports on ApacheCon 2000 in "The Buzz at Apache Conference: World Domination". "More than 1,000 Apache developers and users gathered at ApacheCon 2000 in Orlando last week to discuss -- among other things -- the progress the Apache Web server is making towards World Domination." O'Reilly, March 2000 "ApacheCon 2000: Day One, Day Two, DayThree" O'Reilly published a detailed report on each day of the conference; Wednesday, Thursday, and Friday. "The conference is being held at the Caribe Royale Resort Suites, which despite a strong conference turnout, is mainly inhabited by lots of parents and their young children, due to the proximity to Disney World." LinuxPlanet, March 2000 "ApacheCon: Fuelling The Web Revolution" The article gives a brief overview of the conference and highlights one of the popular talks on open source from IBM. "ApacheCon is the yearly convention dedicated to Apache and Apache products. There are over 1,000 visitors this year, and the show creators were sitting around saying things to me like, "Wow, this is going so mainstream so fast." God, I hope so. It'd be a terrible thing for something that has captured 60 percent of the Internet Web-server market share to not be mainstream." Wired.com News, 14th February 2000 "A Patchy Start: Apache's Strong" The article examines why Apache is not as well known as other projects such as Linux and finds that the companies providing support and services based on Apache are not as visible. "Apache is the Web's most widely used and -- outside of the Nerd Zone -- its most unknown application. It has achieved dominance in a crucial market that Microsoft and Netscape have struggled mightily to conquer. Both companies have invested massive amounts of money and programming skills into server software programs -- and yet it's Apache, a freeware application, that is installed on just over half of all publicly accessible Web servers." Security levels Cox, Mark J A quick summary of security levels that Apache Week apply to Apache web server vulnerabilities Security levels Cox, Mark J A quick summary of security levels that Apache Week apply to Apache web server vulnerabilities Apache Week rates the impact of each security flaw that affects the Apache web server. We've chosen a rating scale quite similar to those used by other major vendors in order to be consistent. Basically the goal of the rating system is to answer the question "How worried should I be about this vulnerability?". Note that the rating chosen for each flaw is the worst possible case across all architectures. In the past for example we've had flaws that have a Critical impact on some BSD architectures, whilst no real impact on others. To determine the exact impact of a particular vulnerability on your own systems you will still need to read the security advisories to find out more about the flaw. We use the following descriptions to decide on the impact rating to give each vulnerability: A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Apache to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms. A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For the Apache web server this includes issues that allow an easy remote denial of service (something that is out of proportion to the attack or with a lasting consequence), access to arbitrary files outside of the document root, or access to files that should be otherwise prevented by limits or authentication. A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be because the flaw does not affect likely configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue. Flaws that allow Apache to serve directory listings instead of index files are included here, as are flaws that might crash an Apache child process in Apache 1.3 All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences. Practical mod_perl 0596002270 Benson, Gary mod_perl embeds the Perl programming language in the Apache web server, giving rise to a fast and powerful web programming environment. "Practical mod_perl" aims to be the definitive book on how to use, optimise and troubleshoot mod_perl. Book Review: Practical mod_perl mod_perl embeds the Perl programming language in the Apache web server, giving rise to a fast and powerful web programming environment. "Practical mod_perl" aims to be the definitive book on how to use, optimise and troubleshoot mod_perl. The book is aimed at both server administrators and application developers, and is well organised so that both groups of readers can easily find what they need. The bulk of the book is split into four main parts, covering administration, performance tuning, database issues and troubleshooting, all in relation to mod_perl 1.0. A smaller fifth part covers the differences between mod_perl 1.0 and the as-yet-unreleased mod_perl 2.0, and finally there are a number of appendices containing example code for common tasks, information on useful Perl modules, and some information for ISPs wishing to offer mod_perl to their customers. As you might expect, the administration section contains the usual instructions on how to obtain, compile, install and, well, administer httpd and mod_perl. However, it is here that the authors' attention to detail starts to be revealed: perhaps a third of this section comprises analysis of transitioning existing CGIs to mod_perl and of transitioning from a Perl environment to a mod_perl environment. Many of the "tricky" aspects of web programming are explained here too: user aborts and server timeouts are covered, as is the generation of correct HTTP headers. The performance tuning section starts with a general analysis of web application optimisation, and sets out the areas which need to be addressed in order optimise effectively. Every aspect that could affect performance is examined, from hardware and operating system through httpd configuration, multiple-machine setups and web caches, to your applications themselves, the memory they use and their full exploitation of the performance-improving features that the HTTP protocol offers. When you consider the importance of databases to web programming it is surprising how little coverage is devoted to them in many books, but "Practical mod_perl"'s database section bucks the trend by containing a wealth of information. Along with the usual information on how to access the database, connection pooling is covered, as is using shared memory to avoid repeated accesses. The final part of the book covers debugging, and in keeping with the rest of the book it is detailed, comprehensive and well organised. A variety of different techniques are discussed such that pretty much every possible problem is covered, and in case all else fails the section is concluded by some instructions on how to get help from mod_perl's development community. The book as a whole is focused and well written, and the authors' knowledge of and passion about mod_perl is obvious. It's an excellent read and will undoubtedly make an excellent reference afterwards; O'Reilly have attempted to create the definitive book on mod_perl and they have succeeded admirably. Vendor patches to Apache 1.3 Cox, Mark J We take a peek inside ten popular vendor distributions of Apache 1.3 to find out what has been added Vendor patches to Apache 1.3 Cox, Mark J We take a peek inside ten popular vendor distributions of Apache 1.3 to find out what has been added We decided to take a look at what custom patches vendors add to the versions of Apache 1.3 they ship. The Apache Software Foundation would rather that vendors of Apache didn't add any third-party modifications to Apache at all - it adds to brand confusion. You might think you are getting a copy of the Apache web server but you're actually getting something that is based on the Apache web server. There are hundreds of distributions and hundreds of vendors so in order to make this manageable we started out by looking at just Linux vendors that have publicised security updates for Apache in the first few months of 2003 to the bugtraq mailing list. Where a vendor has multiple versions of products we tried to look at the most recent version of Apache 1.3 (since most vendors do not yet ship Apache 2). Our survey consisted of Conectiva, Debian, EnGarde, Gentoo, Mandrake, OpenPKG, Red Hat, SCO, SuSE, and Trustix. At the time of the survey, not all the Linux vendors were shipping Apache 1.3.27. Several shipped older versions for which they had backported security fixes. Mandrake, Debian, and Conectiva included Apache 1.3.26 with backported patches for , , and . SuSE included Apache 1.3.23 with backported security fixes for only and . SuSE also add a backported patch for mod_proxy () All the vendors shipped with EAPI, the interface that links Apache to mod_ssl, and most bundled some selection of extra modules. All the vendors shipped a custom httpd.conf file or made patches to the default file. Examining the configuration file changes was outside the scope of this survey since these are things that can be easily changed by the user. All the vendors except OpenPKG and SuSE pointed the magic mime types file at the system /etc/mime.types file, with many adding additional types using AddType directives in httpd.conf. SysV init is a standard process used by Linux distributions to control which software the init command launches or shuts off on a given runlevel. These sometime get confused with the apachectl command which provides similar functionality. All the vendors except OpenPKG included custom init scripts or patches with their Apache packages. All the vendors provided patches to help build Apache on their particular Linux distribution and to customise it to their environment. Conectiva, Gentoo, and Mandrake added a serverroot configuration option and then used that to help build Apache. Most vendors patched apxs and changed file and directory locations. Debian, Gentoo, Mandrake, Red Hat, and SuSE added dbm patches to ensure that the files created for dbm-based authentication from Perl tools like dbmmanage are in a format that Apache can understand. Conectiva, Debian, EnGarde, Gentoo, Mandrake, Red Hat, and SCO all included a patch for , a vulnerability in htpasswd and htdigest that could allow local users to overwrite arbitrary files via a symlink attack. This vulnerability is not yet fixed in Apache, as it's tricky to get right cross-platform. The vendors patching this themselves only have to worry about the Linux architecture so can add a specific fix. Altering the server version string can help users determine that they are running a vendor-modified version of Apache. It can also help the vendor track market share through surveys like those from Netcraft. Four of the distributions had patches to make sure that they added a customised string to the server version string. These distributions were quite well behaved and did not add their customised string if the ServerTokens directive is set to 'product only' or 'minimum'. Debian GNU/arch (Gentoo/Linux) (Red-Hat/Linux) (Trustix Secure Linux/Linux) Conectiva and SCO were a little more invasive, with Conectiva adding (Conectiva/Linux) to the server version string no matter what the ServerTokens directive was set to. SCO did a similar thing, with their extra string giving the version of an acceleration patch they add. Finally, Mandrake changed the base product name altogether, renaming from Apache to Apache-AdvancedExtranetServer. In Apache 1.3, a compile-time constant defines the maximum possible number of server processes, defaulting to 256. Only three vendors changed this default: Debian set it to 512 processes via a build-time define, EnGarde patch it to 1024, and SuSE set it to 2048 via a define. Debian, Mandrake, SuSE, and SCO build Apache with Large File support, so that on 32-bit systems Apache can use files larger than 2 gigabytes - this is particularly useful for log files. Enabling LFS does slightly change the Apache 1.3 binary module ABI, which can cause problems if using binary modules built against a different version of Apache. After taking account of all the patches and modifications above, we're left with only four vendors that add additional patches. SuSE added: A patch to change the ap_set_content_length API function to accept a length of type off_t instead of long, to improve the support for Large Files mentioned above. Gentoo added: A patch to make the regexp library work with Large File Support on 32-bit systems. This is a modification the affects the ABI. A patch to fix a segmentation fault when using a custom response in a module, () A patch to fix a problem when using server-parsed HTML with suexec where an <--#exec tag with a cmd attribute contains more than one word. (Debian bug 47951) A patch to allow SSL environment variables to be accessible when using mod_ssl and suExec. (similar to ) A patch to cause Apache to not run if user or group directives are found within a VirtualHost but suExec is not configured correctly. (Debian bug 21525) Debian added the same patches as Gentoo and additionally: A fix for a htdigest buffer overflow if arguments passed to it are too long. This is only a security issue if htdigest is used setuid Changes to ApacheBench to support round-robin DNS SCO added: A patch to mod_proxy needed for mod_backhand A patch to add a new API function, ap_call_execute, needed by the old mod-frontpage-VR module the "Accelerating Apache" performance patches from SGI. The "Accelerating Apache" performance patches were first submitted to the Apache Group by SGI in 1999. We reported that they were designed to improve the performance of Apache when measured specifically by the SPECweb96 benchmark. The patches were named after the ten fold increase in speed they gave over regular Apache on a dual processor SGI IRIX machine. Some of the patches were folded in to Apache in 2000, but other parts were rejected by the Apache developers. The Accelerating Apache project was dropped by SGI in February 2001. In March 2003 a vulnerability was found in the Oracle modifications to mod_dav. This was not the first security hole that has been introduced by third party modifications to Apache by vendors. However our own research based on issues listed in the CVE dictionary shows that the majority of these vulnerabilities are due to poor configuration defaults rather than patches for new functionality that went wrong: CVE Type of Issue Severity Affected Remote attacker can run arbitrary commands High Oracle Remote attacker can run arbitrary commands High SCO (briefly) Remote attacker can run arbitrary commands High IBM Remote attacker can see files in /usr/doc Low SuSE Linux Remote attacker can see files in /perl Medium Mandrake Linux Remote attacker can read and write any file in docroot High SuSE Linux Remote attacker can obtain the source to CGI scripts Medium SuSE Linux Remote attacker can read .htaccess files Medium Cobalt Remote attacker can see files in /usr/doc Low Debian Linux What we found in our survey was that no two of the ten vendors were alike; some vendors like OpenPKG made only the expected build and configuration changes, whilst others made fairly substantial changes including affecting the ABI. ABI changes mean that you can't reliably take a module precompiled for one distribution and start using it on another. Third party modifications to Apache have been known to cause bugs and security issues. This is often frustrating for the Apache Software Foundation who end up receiving all the bug reports for issues that don't even exist in the official Apache releases. This is one of the reasons why the Apache Software Foundation insists that when vendors make modifications to Apache that they change the name of their version so it is not confused with official Apache releases. One thing that impressed us was how easy it was to identify the changes that the vendors had made. In almost all cases the vendor's source package contained a pristine copy of Apache along with one or more patch files for the various changes. Working out what those changes did and where they came from was another issue though, vendors could do a much better job of labelling the origin of, and reason for, each of the patches they make. Apache 2.0.44 Released Orton, Joe Apache 2.0.44 was released on the 21st January 2003. This release addresses recent security issues in Apache 2.0.43 Apache 2.0.44 Released Orton, Joe Apache 2.0.44 was released on the 21st January 2003. This release addresses recent security issues in Apache 2.0.43 Apache 2.0.44 was released on 21st January 2003 and is now the latest version of the Apache 2.0 server. The previous release was 2.0.43, released on the 3rd October 2002. See what was new in Apache 2.0.43. Apache 2.0.44 is available for download. This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 2.0.44 on Windows should upgrade to Apache 2.0.44. Read more about the other security issues that affect Apache 2.0. Apache was vulnerable to a denial of service attack via a request for MS-DOS device name on Windows 9x and Me. Apache allowed arbitrary code execution via crafted POST request containing MS-DOS device name on Windows 9x and Me. Apache could be forced to serve unexpected files on Windows platforms by appending illegal characters such as '<' to the request URL. The following bugs were found in Apache 2.0.43 and have been fixed in Apache 2.0.44: Allow escaping % sign in CustomLog format strings mod_setenvif: fix BrowserMatchNoCase for non-regex patterns. Return appropriate MIME response headers for negotiated responses from a body embedded in a type-map Prevent 416 "Range not satisfiable" response in place of a redirect Prevent files being left open for the duration of a keepalive connection, which could cause a "Too many open files" error mod_ssl: several fixes for memory handling and leaks mod_proxy: fix invalid Content-Length from pages fetched during server-side include processing. LDAP modules: ensure correct load order in httpd.conf (); fix compatibility with Netscape LDAP libraries; fix Win32 build mod_deflate: fix a memory leak when compressing dynamic content; always emit Vary headers mod_isapi: fix several compatibility problems (, ), and fix bug which caused invalid responses or log entries () CGI modules: fix streaming output from "nph-" scripts, for example CGI::IRC (); fix construction of command line from query strings (), handle environment variables which contain newlines in mod_cgid (); terminate CGI scripts when connection is dropped () Caching modules: many bug fixes (including ), and an HTTP compliance fix () Add an --enable-v4-mapped configure option to allow or disallow connections from IPv4-mapped addresses to IPv6 addresses, on applicable platforms (, ) Add IndexOptions IgnoreCase option to mod_autoindex () Add EnableSendfile directive to disable use of sendfile() when necessary (for instance when serving an NFS share) Add ProxyBadHeader directive to dictate handling of invalid HTTP responses headers Add SERVER_ADDR keyword to mod_setenvif, to represent the server IP address for a particular request Performance improvements Add -S command-line option to httpd, equivalent to -t -DDUMP_VHOSTS Apache Related Links This document contains a set of pointers of interest to people using or developing with Apache. From here, you can link to all the relevant standard definitions, documentation on most aspects of using Apache, module information, and even some links to how Apache is reported by the media. Organisations W3C who maintain W3 standards development Apache project page Document Access HTTP is the protocol for transfering Web pages. Current version is 1.1, which is now an RFC on the standards track. It replaces the widely implemented 1.0. Note: this is not related to Apache version numbers! HTTP 0.9 (of historical interest only) HTTP 1.0 [RFC1945] (or in HTML PS format) HTTP 1.1 [RFC2616] Use and interpretation of HTTP version numbers [RFC2145] Basic and Digest Access Authentication [RFC2617] PEP: an Extension Mechanism for HTTP [Internet Draft] Transparent Content Negotiation [RFC2295] and Remote Variant Selection Algorithm 1.0 [RFC2296] See also: other HTTP Internet drafts, the W3C HTTP specifications Uniform Resource Identifiers or Names (URI, URN) are the generic names for Uniform Resource Locators (URLs), used to identify resources on the WWW and Internet. Uniform Resource Identifiers (URI): Generic Syntax [RFC2396] A Trivial Convention for using HTTP in URN Resolution [RFC2169] URN Syntax [RFC2141] Uniform Resource Locators [RFC1738] Relative Uniform Resource Locators [RFC1808] Cookies let you maintain state with the client, or track 'clickstreams'. HTTP State Management Mechanism [RFC2109] Internet Draft intended to replace RFC2109 Netscape's Original Cookie specification (no longer available) Content Hypertext Markup Language is the protocol used to design Web hypertext pages. Current widely used version is 2.0, often with extensions. Version 3.2 summarises the current practise. HTML 3.2 W3C Reference Specification, more information HTML 4.0 more information Cascading Style Sheets (CSS) W3C Recommendation, more information. Internationalization of HTML [RFC2070] Hypertext Markup Language 2.0 [RFC1866] HTML Tables [RFC1942 experimental] Netscape extensions to HTML 2.0 and HTML 3.0 Microsoft HTML, DHTML and CSS information See also: HTML Internet drafts, W3C HTML specifications CGI is the common gateway interface, which specifies how web servers can call external applications (scripts, programs or other gateways). CGI information and tutorials (NCSA) CGI specification CGI provides a simple way of running programs on the server when a request is received. However they can be inefficient because they need to be started each time a request is made. There are various ways of creating more efficient dynamic responses. JServ module for Java programs mod_perl for efficient Perl scripts and modules FastCGI: a faster version of CGI (Apache module available) Server-Side Includes are a way of writing commands into normal HTML files. When the HTML file is served to the user, the SSI commands are parsed and executed. Apache implements standard SSI, or you can use an alternate module for more advanced SSI implementations Using Server Side Includes Apache Week feature Dynamic Page Langaues Apache Week feature Apache SSI commands NCSA tutorial PHP: a full programming language, available as CGI or Apache module NeoScript: scripting language module Meta-HTML: scripting language CGI ePerl: CGI which allows perl to be embedded into HTML Imagemaps come in several flavours: old-style NCSA cgi-bin program, new Apache imagemap module and client-side imagemaps. Using Imagemaps Apache Week feature Apache imagemap module NCSA imagemap cgi-bin program: NCSA imagemap tutorial Client-side imagemaps [RFC1980] RFC1766 Language Tags (Specification of tags to identify content language) RFC1700 IANA Assigned Numbers (IANA allocates MIME types, character set identifiers) RFC2279 UTF-8, a transformation format of ISO 10646 (An expanded character set compatible with US-ASCII) RFC2046 MIME Media Types (MIME types are used to identify content type) RFC2083 PNG Specification (A portable, lossless, compressed format for graphics) All RFCs Inclusion of a link from this document to an external site does not imply endorsement by Apache Week or Red Hat, who cannot be held responsible for the contents of the remote site. Lists of resources may not be exhaustive. Linux Apache Web Server Administration Tsan, Min Min 0782141374 0782141382 0782141234 We review "Linux Apache Web Server Administration", for well-versed Linux administrators who use Apache as their web servers in a small to medium-sized company. Book Review: Linux Apache Web Server Administration We review three out of the eight books in the Craig Hunt Linux Library series published by Sybex Inc. The first book is the second edition of "Linux Apache Web Server Administration" by Charles Aulds, followed by the second edition of "Linux System Administration" by Vicki Stanfield, and Roderick W. Smith. Both books were published in September 2002 and reviewed by Craig Hunt. The third book is "Linux Network Servers" written by Craig Hunt himself published in August 2002. "Linux Apache Web Server Administration" is written for well-versed Linux administrators who use Apache as their web servers in a small to medium-sized company. It provides a good coverage of the necessary topics to arm an administrator with sufficient knowledge to get the Apache web server up and running, and also administer and maintain it. Its table of contents lists four appendices, and fifteen chapters that are categorised under four main parts. Part 1: "How Things Work" has two chapters that introduces the Web and compares Apache with various free and commercial web servers. The next four chapters under Part 2: "Essential Configuration" cover installing Apache 2.0.36 from source, the binary distribution of Apache 2.0.35, and Apache using an RPM, configuring some general directives, installing third-party modules as dynamic shared object (DSO) modules using the apxs utility, and setting up IP-based and name-based dynamic virtual hosts. The third part which comprises Chapters 7 to 10 moves on to the advanced configuration options, namely how to implement Server-Side Includes (SSI), Common Gateway Interface (CGI) scripts, FastCGI, a simple MySQL web query, mod_perl, PHP, Active Server Pages (ASP), Tomcat, Resin, mod_alias, mod_rewrite, and GUI configuration tools such as Comanche and Webmin. Part 4: "Maintaining a Healthy Server" together with the remaining five chapters teaches you how to create your own Apache logs, track user sessions using mod_usertrack, rotate and analyse logs, tweak the performance, use mod_proxy, implement various authentication and authorisation methods, install mod_ssl, be your own Certificate Authority (CA), negotiate content based on meta-information, and set up the Red Hat Content Accelerator. Appendix A lists all the standard Apache directives for version 2.0.39 while the three remaining appendices supply the online references for more information and teach you how to use them effectively, and talk about using Samba, FTP, mod_put, Frontpage Extensions, and mod_dav to transfer files to Apache. Although this second edition has been updated to include Apache 2.0, it is not the definitive guide to Apache 2.0 because it does not focus on the new features of Apache 2.0 or the differences between Apache 1.3 and 2.0. This book is therefore not for experienced Apache web server administrators who are seeking guidance in migrating from Apache 1.3 to version 2.0. However, it will suit experienced Linux system administrators who are new to Apache to a tee as it is easy to understand, starts from the basics, and walks you through step-by-step instructions to ensure that you are well equipped to setup and maintain your very first Apache web server. Now, on to our next book, the updated second edition of "Linux System Administration" is aimed at Linux server administrators who are already familiar with Unix or slightly knowledgeable about Linux. It is not for beginners, desk-top Linux users, or Windows users wishing to migrate to Linux. Its eighteen chapters are divided into four parts and there is no appendix as per its table of contents. This book is applicable to all major Linux distributions although when specific examples are needed, Red Hat Linux 7.3 is used. Once you have finished reading this book, you are well on your way to maintain a Linux server confidently. It covers everything you need to know from setting up user accounts, implementing a backup and recovery strategy, to troubleshooting problems on your system. Our last book on the list, "Linux Network Servers", targets Linux administrators who want to build a Linux server that provides network services such as Login, Mail, Printer, Network Gateway, and Web Services. As it does not include information for you to revise the basics of Linux, readers need to possess a fundamental understanding of IP networks, Linux commands, and Linux system administration. Please refer to its table of contents on how the thirteen chapters are organised under four sections. Red Hat Linux 7.2 is used in most of the examples in this book although you should be able to apply the information to other Linux distributions as well with slight adjustments. Each chapter in Part 2 and 3 is dedicated to one service. Chapter 6 is about the Apache web server. It shows you how to install Apache 1.3.20 using an RPM, configure some general directives, fine-tune its performance, define name-based virtual hosts, implement access controls, configure SSL, and monitor the logs. Basically you will be able to maintain a basic Apache web server after this. As a new Linux administrator without much experience, this is a good reference guide to start you off implementing standard network services. It is not enough to provide you with a more complex setup of an individual service so you will need to have another book solely on each specific service that requires more advanced configuration. For example, to implement an elaborate setup of Apache web server, you will require the "Linux Apache Web Server Administration" book. ApacheCon 2002 Las Vegas Weinstein, Paul Paul Weinstein visited the Las Vegas ApacheCon in November 2002 and gives his highlights of the interesting news and events ApacheCon 2002: Day 2 Paul Weinstein visited the four day Apache conference in Las Vegas in November and gives his highlights. The first day of the conference was taken up by tutorials, the presentations started on the second day Some 500 miles and 19 months after the last conference on the state of the world for Apache, developers and users gathered in Las Vegas to converse again about the world's most popular web server. After a day of tutorials, Coar, Ken, Apache Software Foundation member and Conference Chair introduced this year's conference to the over 300 attendees. The conference included 60 presentations, 16 Birds of a Feather, 3 keynotes, and free access to the Comdex convention floor. After a brief break, Ken Coar introduced Tim O'Reilly, Founder and President of O'Reilly and Associates and his topic "Watching the Alpha Geeks." O'Reilly opened with a quote from Sci-Fi writer William Gibson, "The future is here, it's just not evenly distributed yet." saying that Gibson describes exactly how one can understand the ever evolving world of computer technology. O'Reilly's premise is that the evolution of technology follows a simple pattern that can be seen with the adoption and evolution of the personal computer: Hackers such as those who formed the famous Homebrew Computer Club started tinkering and developing computers for personal use as they pushed the technological envelope; These explorations evolved into businesses such as Apple and Microsoft as entrepreneurs start to make the new technology easier for ordinary users; As dominant players emerge that integrate the new technology into a platform such as the Wintel platform where barriers can be raised to keep other entrepreneurs from integrating into the new platform or a healthy ecosystem of corporations can evolve to help the new platform develop; And finally the hackers and entrepreneurs turn their attention to new areas, looking for new frontiers such as that of the Internet and its growth into a new computing platform. O'Reilly moved on to what he sees going on now within the world of hackers and the next group of entrepreneurs, with the growing world of wireless networks, web services and the open source world. So why then have companies struggled with trying to bring the wireless world to the public or struggled to build a model around open source software? Because according to O'Reilly, these companies are still trapped thinking in the old model of cheap hardware and proprietary software that defined the growth of the PC world, and that just as companies such as IBM had to shift from their world of mainframes and other proprietary hardware, the business leaders of today need to change their point of reference in order to fare better in these new, emerging worlds. But most importantly, O'Reilly noted, was that the programmers who build these new technologies, define these emerging technologies, are designing the architecture of the next iteration of the computing world. This, O'Reilly feels, is where the world of Apache can help: by showing what models work in the evolving computer industry, that of adhering to standards, of building a small, but robust application with a modular design. In other words, what the hackers and programmers have succeeded in doing with the Apache server, related projects and how it is done, shows exactly what can and does work in the technological world of tomorrow. The schedule of sessions about Apache on Tuesday included a talk by Mark Cox on Revealing Apache Security Secrets, Jim Jagielski's talk on Migrating to Apache 2.0, a presentation on the new Proxy module for Apache 2.0 by Graham Leggett, along with Theo Schlossnagle and George Schlossnagle who put together a session on deploying scaleable network architectures. The evening ended with a welcoming reception giving food and drinks for attendees to enjoy while they socialized and viewed the exhibit floor. ApacheCon 2002: Day 3 Paul Weinstein visited the four day Apache conference in Las Vegas in November and gave his highlights from the third day of the conference. Wednesday's late morning keynote featured John Fowler, CTO of Software for Sun whose speech "Sun and Open Source: A Bright Future" allowed Fowler to discussed Sun's commitment to Open Standards and the Open Source community. Fowler noted that since Sun's founding over two decades ago, the use of open standards and community participation has been of major importance. Fowler believes that since the founding of Sun there has been an overall shift within the computer industry from developing and selling new technology to that of building solutions that implement open standards. This shift is allowing technology that might originate from competing vendors to work together, providing an overall solution a customer can use, instead of having various vendor components that might solve one problem or another, but overall don't communicate or work together. Moreover, Fowler believes that the Apache project is a prefect example of open standards at work since the server is widely used and of such a benefit because of what standards it implements and how it handles those implementations. In relation to the open source community at large, Fowler noted the major contributions Sun has made not only to Apache and related projects such as Tomcat, but also in non-Apache related projects such as the Gnome desktop and OpenOffice.org. Fowler feels that the work Sun has done with projects such as Apache have fundamentally changed how Sun operates, noting that open source communities can magnify the impact of a software project, not just in how many developers contribute or what is contributed but also in actual deployment of a project's technical solutions, because of the overall openness of the community. A number of large and small companies shared their unique view of Apache and the open source world on the expo floor during the three days of talks. AMD and Covalent took the most advantage of the conference by announcing a co-development project that includes Red Hat to port the Apache code base from the 32-bit architecture that allows it to run on the most commonly found x86 microprocessors to the 64-bit architecture that AMD is developing for its Opteron line of processors To help highlight John Fowler's speech the Sun booth was dedicated to the various open source projects, both Apache and non-Apache as well as exhibiting the versatility of it's Java programming language again in conjunction with the Apache server as well as on its own. Apple highlighted its Apple Developer Connection, which assists developers in deploying desktop and server systems based on Apple's Macintosh OS X platform. Apple of course has a number of web and network related tools available and includes the Apache Web Server by default in both the desktop and server versions of OS X. Sams Publishing and BreakPoint Books were on hand to sell Apache and other web related books for the conference attendees. The books available covered just about any subject, from basic CGI programming to Java Servlets to Apache 2.0. A few other retail vendors filled out the low key expo floor including Daemon News which was featuring BSD Mall and Hackerthreads.com. Wednesday, the busiest of the three days, brought Derek Ferguson's talk on Integrating Apache with Microsoft's .Net and a session on the next version of the XML parser Xerces given by Andy Clark. The afternoon sessions included George Schlossnagle's discussion about how to get the best performance from PHP, a talk by Gerald Richter on Embperl as well as talk by me, Paul Weinstein, on how to use and run a private certificate authority for authentication with Apache. ApacheCon 2002: Day 4 Paul Weinstein visited the four day Apache conference in Las Vegas in November and gave his highlights from the final day of the conference. Thursday, the final day for ApacheCon featured a keynote from Richard Thieme whose speech, "New Ways of Thinking About Security: Open Source Thinking in a Bunged-up World" picked up where Tim O'Reilly left off by reiterating the idea that open source is more than just about code, but in reality is a way of living and thinking. This open source way of thinking is at its fundamental level based on the methods of communication that are commonly used within open source projects. Thieme also noted that, these projects and more importantly those that contribute and use open source technology, have become fluid individuals who's own identity is more modular, less ridged than of past generations, primarily because of the modular, distributed communication systems that are now are commonly used. Just as O'Reilly sees his 'Alpha Geeks' as the early adaptors of technology, Thieme sees these early adaptors of open source and the open source ethic as a new social network emerging from preexisting boundaries. Because of this, Thieme thinks that security issues from around the world need to be seen in this new distributed world view. He noted that ApacheCon was indeed about a community coming together in a physical location, but really is about sharing secrets and how the Apache community shares its secrets, or chooses not to, can help those who are charged with building the next generation of security policies and laws. In other words issues of security, privacy and even intellectual property need to be built based on these new emerging communities and boundaries, thus being beneficial instead of building policies and laws that enforce old political and social boundaries that no longer make sense in the new world based on modular, world of networked communities. Presentations on Apache for Thursday included Greg Stein's session introducing WebDAV and Apache as well as Rob McCool's presentation on the Stanford University's project to deploy machine readable content on the web. Mads Toftum's session on doing URL manipulation using mod_rewrite, Mark Wilcox's session on implementing LDAP along with presentations on data management in Apache 2.0 by Cliff Woolley and performance turning Apache by Thomas Wouters helped round out afternoon. No doubt the highlight for many at this year's ApacheCon attendees was the Closing Session where Ken Coar raffled off a number of goodies supplied by the conference vendors including books, AMD processors and other wonderful swag. But most importantly to those in attendance and to the Apache community at large came the announcement that 2003 will see two ApacheCon conferences, the return of ApacheCon Europe which will occur in the spring at a location yet to be determined and ApacheCon US which will return to Las Vegas in November. Overall most attendees seemed impressed with the return of ApacheCon. While the production of the event was modest compared to previous conferences the quality of the presenters and the presentations where of the same high quality one would expect. Indeed, with so many interesting talks it was easy to find people cutting out of one presentation to hear the end of another and this report only mentions the more typical Apache topics available for attendees. Most importantly, ApacheCon has shown that it is still The Apache Event for Apache developers and users to come together and discuss everyones favorite web server. Photos from ApacheCon 2002 SAMS Teach Yourself Apache 2 in 24 Hours 0672323559 Tsan, Min Min Aimed at beginners and intermediate users of Apache 2.0 this book covers how to install, build, configure, customise, monitor, and troubleshoot Apache 2.0 on a variety of platforms ranging from Linux, Windows to other Unix flavours. Book Review: SAMS Teach Yourself Apache 2 in 24 Hours Apache 2 has now been included in the "SAMS Teach Yourself in 24 Hours" series since June 2002. The book is written by Daniel Lopez Ridruejo with contributing author Ian Kallen. It is aimed at beginners and intermediate users of Apache 2.0 on how to install, build, configure, customise, monitor, and troubleshoot Apache 2.0 on a variety of platforms ranging from Linux, Windows to other Unix flavours. In line with the other books in this series, it contains 24 chapters known as Hours meant for one hour of reading each with a "Q&A" section, and a "Quiz" section at the end of each chapter to test how well you understand what you have just read. Answers are provided for the quiz section immediately after the questions so you don't have to worry about figuring out the correct answers yourself. The table of contents can be found at its companion website along with three sample chapters, the errata, and a web page that tracks Apache 2.0 updates since this book was published. The 24 Hours are divided into three parts. Hours 1 to 10 which make up the first part cover the internals and basics of Apache for you to get Apache 2.0 up, running, and serving static and dynamic content. Part I also includes setting up authentication and authorisation, customising and analysing logs, manipulating environment variables, and using Comanche and Webmin GUI to configure Apache. Part II consists of Hours 11 to 17 about advanced Apache topics namely multi-processing modules (MPMs), filters, mod_dav, Microsoft FrontPage, virtual hosts, proxy servers, performance tuning, OpenSSL, and mod_ssl. The final part (Hours 18 to 24) talks about installing additional modules, PHP, mod_perl, Tomcat, mod_rewrite, and migrating to Apache 2.0 from previous versions of Apache or other web servers such as Microsoft IIS and iPlanet. The following Hours are singled out for being the crux of the book. Hour 2 introduces the new features that appear in Apache 2.0 such as MPMs, filters, multiprotocol support, and the Apache Portable Runtime (APR) but IPv6 support is not mentioned. It also touches on Apache architecture and how requests are processed through several phases. The four main MPMs (prefork, worker, perchild, and windows) are described in detail in Hour 11 and tips are given on points to consider when choosing an MPM during configuration before being compiled into the server. The next Hour elaborates on filters by presenting three Apache modules written as filters: mod_deflate, mod_include, and mod_ext_filter and showing how they can be configured. It doesn't delve into the complex topic of writing your own Apache filter. The penultimate Hour provides some general guidelines for migrating to Apache 2.0 from previous versions of Apache, and other web servers such as Miscrosoft IIS and iPlanet, while highlighting the pros and cons of each migration. Overall, this book is a scrumptious appetiser to a full course of Apache 2.0 because it leaves you hungry for more. Its explanation in layman terms, and useful diagrams build the foundation for you to absorb more in-depth information about Apache 2.0 from other sources as suggested in the "Further Reading" section. However, the information it provides is sufficient to enable Apache 1.3 users migrate to the second version. Web server administrators who are new to Apache may find it useful to read through the whole book and may take more than 24 hours to digest its contents before moving on to a more advanced book. Apache 1.3 users who are in a hurry can just focus on the Hours about Apache architecture (Hour 2), multi-processing modules (Hour 11), filters (Hour 12), migration to Apache 2.0 (Hour 23), and skim through all the rest of the Hours. Apache Administrator's Handbook 0672322749 Tsan, Min Min A practical, hands-on guide on how to install, configure, and administer the Apache Web server for Apache Web server administrators and Web dynamic content developers. Book Review: Apache Administrator's Handbook "Apache Administrator's Handbook" by Rich Bowen and two contributing authors, Allan Liska and Daniel Lopez, was first printed by Sams Publishing in March 2002. It is intended to be a practical, hands-on guide on how to install, configure, and administer the Apache Web server for Apache Web server administrators and Web dynamic content developers. It stresses that this book is not meant to be a comprehensive Apache manual so it does not provide a detailed listing of all the Apache directives, usage, and syntax. Neither does it cater for Apache modules developers. It covers mainly Apache 1.3 and only touches briefly on Apache 2.0 as Apache 2.0 was still in beta when the book was published. The book consists of 27 chapters organised under 5 main sections with 6 appendixes. You may refer to the table of contents listed on its companion website. Currently Part V which comprises chapters 25 to 27 about Apache modules in general is missing from that page. As with most first editions, there are minor errors so a list of errata is also available on the site. Each chapter is short and written in a succinct style so it is easy to read and understand the whole book in one sitting without fear of brain damage even if you are only slightly familiar with Apache. It would be more useful to you if you read this book while sitting in front of your computer and trying out the examples when you encounter them. In fact this is what the author hinted you should be doing. Compared to other Apache books on the market, this book contains more information about running Apache on Windows. Chapter 12 concentrates solely on the details for installing Apache on Microsoft Windows, and lists the differences between Apache on Windows and Unix, namely the multithreaded versus preforked model. There are also short sections about mod_perl on Windows, and security tips for running Apache and CGI scripts on Windows. Chapter 23 is all about web spiders, what they are, their pros and cons, how to identify spiders that visited your web site, how to block them, and even shows you how to write your own spider with a sample spider written in Perl. Although the publishers categorise this book under user level intermediate to advanced, I feel that this book is more useful to web server administrators who are totally new to Apache because it explains at a basic level in simple terms on how to get started with Apache, what Apache is all about, general Apache concepts, and does not touch on the Apache source code and any complex configuration at all. If you are already an Apache expert and is only looking to advance your knowledge about Apache, then there is no point for you to get this book. However, if you are migrating to Apache from another web server or thinking of using Apache on Windows, then this is a good book for you to start with. Apache 2.0.43 Released Orton, Joe Apache 2.0.43 was released on the 3rd October 2002. This release addresses recent security issues on non-Unix platforms, some minor bugs found in the 2.0.40 release, and adds some new features. Apache 2.0.43 Released Orton, Joe Apache 2.0.43 was released on the 3rd October 2002. This release addresses recent security issues on non-Unix platforms, some minor bugs found in the 2.0.40 release, and adds some new features. Apache 2.0.43 was released on 3rd October 2002 and is now the latest version of the Apache 2.0 server. The previous release was 2.0.42, released on the 24th September 2002. See what was new in Apache 2.0.42. Apache 2.0.43 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site. This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 2.0.43 should upgrade to Apache 2.0.43. Read more about the other security issues that affect Apache 2.0. Fix the security vulnerability regarding a cross-site scripting vulnerability in the default error page when using wildcard DNS. Fix the exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled. Fix the security vulnerability regarding some possible overflows in ab.c which could be exploited by a malicious server. The following bugs were found in Apache 2.0.42 and have been fixed in Apache 2.0.43: The UserDir directive has been fixed to again take a list of user names to enable userdir access for, as per 1.3. Flushing behaviour has been improved, to ensure that available response output is flushed when no new output is pending; helping streaming CGIs and other dynamically-generated content mod_auth_ldap has been fixed to retry connections to the LDAP server if it becomes unavailable. Fix for a locking problem in mod_ssl's session cache code which could cause infinite loops on some platforms Fixes for mod_cache to prevent a segfault when attempting to cache some combinations of content (for instance, when using SSI tags which execute CGI scripts), and to correct the CacheMaxStreamingBuffer directive for virtual hosts The default server root directory in suexec has been fixed to match the default install root mod_proxy was fixed to not strip WWW-Authenticate headers on 4xx error responses which prevented server authentication to be performed via the proxy A new module, mod_logio, has been added which allows logging of the number of bytes sent and received by the server. A -p option has been added to apxs to allow programs to be be compiled using this tool. Professional PHP4 XML 1861007213 Benson, Gary There are lots of books about PHP and there are lots of books about XML, but there are very few books about PHP and XML. Wrox Press have attempted to fill this niche in the market with "Professional PHP4 XML". Book Review: Professional PHP4 XML There are lots of books about PHP and there are lots of books about XML, but there are very few books about PHP and XML. Wrox Press have attempted to fill this niche in the market with "Professional PHP4 XML". A brief introduction is followed by a pair of chapters covering the fundamentals of PHP and XML which, while comparatively short, are densely packed and serve as good introductions to the two technologies. Chapter 4 presents concise summaries and example uses of all the major XML derivatives and vocabularies and is followed by four chapters detailing SAX, DOM, XPath and XSLT in enough depth to enable users to make informed choices as to which is the best tool for the job in hand. As well as the expected tutorials and examples, each of these chapters also explores why you would use the method in question and describe how to install and enable any PHP extensions that are required. Chapter 9 describes a number of third-party packages and classes which simplify application development, and Chapter 10 presents a number of common tasks and explains the pros and cons of using different methods to complete them. The remainder of the book builds on the information covered thus far, exploring such topics as content syndication using RSS, XML storage solutions, and various web services technologies such as WDDX, SOAP and XML-RPC. My main issue with this book is its disjointedness: there are seven authors cited on the front cover and it is blatantly obvious that the chapters were written by different people and that very little integration work was done. The differences are mostly stylistic, although the chapters on XML-RPC are frankly awful and cast a shadow over the rest of the book. The only other issue I had was that the book is a little verbose, although this is more a matter of taste: if you enjoyed other books in Wrox's "Programmer to Programmer" series then you'll have no problems with this one. Weighing in at very nearly a thousand pages this is not a book that you'll lose down the side of the sofa, but the sheer size of its subject area means that the priority is breadth rather than depth of coverage. And that's no bad thing: after absorbing the core of the book you'll be in a fine position to choose the correct tool for the job in hand. You'll also have a head start in locating and understanding more in-depth information on the techniques that you decide to use. This book is targeted at people with some PHP experience and no XML knowledge and it is well paced for its target audience; readers with no PHP or XML experience will probably find it hard going. Although the book is written like a tutorial it has a number of useful appendices which will ensure that it remains a useful reference long after you finish reading it. Apache 2.0.40 Released Cox, Mark J Apache 2.0.40 was released on the 9th August 2002. This release addresses recent major security issues on non-Unix platforms, some minor bugs found in the 2.0.39 release, and adds some new features. Apache 2.0.40 Released Cox, Mark J Apache 2.0.40 was released on the 9th August 2002. This release addresses recent major security issues on non-Unix platforms, some minor bugs found in the 2.0.39 release, and adds some new features. Apache 2.0.40 was released on 9th August 2002 and is now the latest version of the Apache server. This is the fourth stable release of Apache 2.0, following up on 2.0.39 which was released on 18th June 2002. Read our special feature for more information about the history of Apache 2.0. Apache 2.0.40 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site. This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of Apache 2 on Unix prior to Apache 2.0.39 should upgrade to Apache 2.0.40. Sites using any versions of Apache 2 on other platforms should upgrade to 2.0.40. Certain URIs will bypass security and allow users to invoke or access any file depending on the system configuration. () A path-revealing exposure is present in multiview type map negotiation (such as the default error documents) where a module would report the full path of the typemapped .var file when multiple documents or no documents could be served. () A path-revealing exposure in cgi/cgid when Apache fails to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path of the script. () The new features in this release (added since 2.0.39) are: mod_rewrite can now set cookies using the CO extension Performance improvements for the code that reads request headers Proxy FTP now works over IPv6 Changes to the internationalized error documents; they are no longer included by default in the sample configuration file. Add a new directive, MaxMemFree. MaxMemFree makes it possible to configure the maximum amount of memory a particular childs allocator will hold on to for reuse. This directive is useful when uncommon large peaks occur in memory usage. Support the -w flag on to keep the Win32 console open on error Add the ability to enable or disable a filter via an environment variable. Apache on Netware will now pull requests off of the listen queue as fast as winsock will allow without latency introduced by the accept mutex During installation Apache will preserve existing installation directories. Binaries, the build directory, the headers, and the man pages are all copied. Everything else, the config, htdocs, manual, error, icons, and cgi directories are not installed if the directories already exist The bugs fixed in this release include: Fix a long-standing bug in 2.0, CGI scripts were being called with relative paths instead of absolute paths. Apache 1.3 used absolute paths for everything except for SuExec, this brings back that standard Restore the ability to specify host names on Listen directives. Accept multiple leading /'s for requests within the DocumentRoot. Fixed a mod_include error case in which no HTTP response was sent to the client if an shtml document contained an unterminated SSI directive Prevent infinite recursion if an ErrorDocument gets an error Fix segfault in mod_mem_cache most frequently observed when serving the same file to multiple clients on an multi-processor machine Various fixes to the experimental module mod_ext_filter including: Look in the main server for filter definitions when running in a vhost if the filter definition is not found in the vhost, . Fix a segmentation fault if the content-type was not set, , and ignore any content-type parameters when checking if the response should be filtered. Fix infinite loop due to two HTTP_IN filters being present for internally redirected requests. Fixed the Content-Length filter so that HTTP/1.0 requests to CGI scripts would not result in a truncated response. Fix proxy so that it is possible to access ftp: URLs via a proxy chain. Fix perchild to work with apachectl by adding -k support to perchild. Fix the long-standing bug in ab where ab -t10 would loop for 10000 seconds instead of 10 as documented. Also fix an off-by-one-second error Fixed parsing of strings to longs which allows HTTPD to deal with larger files correctly mod_deflate now checks to make sure that 'gzip-only-text/html' is set so that BrowserMatch can be used to control the module Add a filter_init parameter to the filter registration functions so that a filter can execute arbitrary code before the handlers are invoked. This resolves a problem where mod_include requests would incorrectly return a 304. A problem with the keepalive enumeration caused problems when mod_dav sends error responses Various minor fixes to the htpasswd utility including The following platform-specific changes have been made: Solved the reports of .pdf byterange failures on Win32. Support WinNT CGI invocation through ScriptInterpreterSource 'registry' for script interpreter paths and names with non-ascii characters in the executable filepath Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include extended characters (non US-ASCII) in non-utf8 format. This brings Win32 back into CGI/1.1 compliance, and leaves charset decoding up to the cgi application itself When deciding on the default address family for listening sockets, make sure we can actually bind to an AF_INET6 socket before deciding that we should default to AF_INET6. This fixes a startup problem on certain levels of OpenUNIX. O'Reilly Open Source convention in San Diego Weinstein, Paul Paul Weinstein visited the five day O'Reilly Open Source Conference in San Diego this week and gave his highlights of the interesting news and events O'Reilly Open Source Conference: Day 3 Paul Weinstein visited the five day O'Reilly Open Source Conference in San Diego this week and gave his highlights. The first two days of the conference were taken up by tutorials. Tim O'Reilly introduced (photo) the first Keynote speaker for this year's Open Source Conference, Lawrence Lessing, as "my favorite keynoter." Lessing, a professor of law at Stanford Law School, is a vigilant defender of freeing content from the growing limitations of copyright law within the United States. He began by confessing that this would be his second to last keynote and therefore wanted to leave a four-part refrain with the audience: Creativity and innovation always builds on the past The past always tries to control the creativity that builds on it Free society tries to protect the future by limiting the control of the past Ours is less and less of a free society It seems history has shown that creativity and innovation always build on the past. A prefect example of this property of culture, according to Lessing, can be seen in Walt Disney's "Rip, Mix and Burn[ing]" of fairy tale classics in the Twentieth Century. Yet, at the same time the past always tries to control what can be created. Again Lessing sighted that Disney, or in this case the Walt Disney Corporation, has successfully lobbied a number of the 11 total extensions of copyright law, imposing limitations on creative works from 17 years to 95 years. Thus the Walt Disney Corporation has kept others from doing to Mickey Mouse what Disney did to the Brothers Grimm. Worst, according to Lessing, is that technology has helped in the expansion of control that the reworking of copyright law has started. A perfect example is Adobe's E-Reader which limits the ability to cut-and-paste text, making it difficult for someone to even quote text for a research paper, something that is not only possible with print, but has been legally upheld as a "fair-use." A silver lining would be that within a free society one could take a stand against these abuses. After all who wants to live with Hollywood's "insane rules being applied to the whole world?" The problem is that applying direct pressure for change within the United States can be difficult. As retiring US Congressman JC Watts described it "If you're explaining you're losing." Lessing then asked, "What have you done? How many of you have given the EFF more than you've given to the other side [for music CDs or movies on DVD?]" This last refrain of Lessing's points to exactly why members of our free society should care about the limitations of our laws and technology, "never in our history has so few people controlled so much of our culture." What needs to be done is to "Free Culture" and "Create like it's 1790" when copyrights only extended to a narrow number of years and when copyright was understood to be a limitation on businesses a not a limitation on what individuals could do in creating culture. A perfect stage was now set for the second keynoter of the morning, Richard Stallman who Tim O'Reilly admitted to butting heads with on occasion, but who had a "very creative way to deal with the problems of today." RMS took right to telling everyone, "Unlike some of you, I am not an open source developer. I'm an activist in the free software movement." In the 1980s RMS was dealing with the death of the free community that he knew in the 70s. What choice did he have while all the operating systems where proprietary? His solution, he started the Free Software Foundation, "This was the only thing I could do," he conceded. RMS sees "a possibility of freedom" if "you make sure all of your software is free." While the strides with GNU/Linux have been great, the "job isn't done till all the software is free." But what does RMS mean when he says the software has to be free? To this he listed four conditions that have to be meet: Freedom Zero is the right to be able to run the software any way you want Freedom One is the ability to understand and change the software Freedom Two is the ability to share the software, changes or no, with friends Freedom Three is the ability to help build your community using the software "Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone," RMS noted, echoing Dr. Lessing, "we have to reject" efforts by politicians just as DRM - Digital "Rights" Management. According to RMS, the DRM isn't about rights; it's about theft, theft of our freedoms. RMS then took the rest of his time to poke fun at the image that some people have about his attitude of being "holier than thou." After dressing himself in an outfit appropriate for a holy figure, RMS pronounced himself "Saint iGNUcius of the Church of Emacs" and provided a prayer to bless one's computer. One should "exorcise evil proprietary operating systems" doing so would put one on the road to sainthood. (photo) During lunch on Wednesday Tim O'Reilly took time to ask questions of RealNetworks Chairman and CEO Rob Glaser about Real's announcement that they will be providing parts of their code for their next generation media platform Helix to the open source community. Glaser first reviewed the announcement for the audience: Helix is a platform for streaming media Helix Community has been created for work on the components for this new platform The client application source code will be available in 90 days with the encoder and server source code to come out at the end of 2002. Helix Universal Sever, a commercial product from Real, delivers all types of media formats such as Windows Media, mp3, even Ogg Vorbis. When asked "Why Now" Glaser replied that within RealNetworks there has always been strong support internally for open source, but Real need to make sure that open sourcing part of their code-base worked such that Real could still provide a value-added business to their base technology. Moreover embracing the open source community helps make sure open standards such as RTP and RTSP are implemented properly. Glaser continued by discussing the dual-licensing approach of using a GPL-inspired license called the RealNetworks Public Source License along with a Java-style license called the RealNetworks Community Source License saying, "We studied a lot not just how to connect with the community, but also how to build a licensing model that would allow our commercial partners to build and maintain compatible applications." O'Reilly Open Source Conference: Day 4 Thursday started with two keynotes about the role of open source technology in the world of Bioinformics. Ewan Birney, of the European Bioinformatics Institute, started by giving a crash course on how Bioinfomatics is a fusion of Biology, data gathering, and computer science and computer technology. As an example Birney noted that one of EBI's projects is to provide the Human Genome data for all to see. In doing so EBI uses a combination of open source technologies such as mySQL, Linux, Perl, Python, Apache and mod_perl. While, the code developed to run the site is available under a BSD-style license, the greater result is that the 3 Gigabytes of information that details how to make a Human is open to anyone, without restriction. Jim Kent, a research scientist at University of California, Santa Cruz continued by noting "I don't think you can have science without open source." Kent observed that the practices of science and those of the open source community are virtually the same, "People can't do [reproduce meaningful results] unless they can see your source" and peer review helps generate better science as well as better software. O'Reilly Open Source Conference: Day 5 Friday, no doubt, was the day that made the conference for many attendees as they saw how open source can assist in the production of movies such as The Lord of the Rings trilogy, heard Bruce Sterling rant about the computer industry and watched Bruce Pernes keep himself from being fined half a million dollars for breaking the DMCA - Digital Millennium Copyright Act. Milton Ngan from Weta Digital, the special effects house created by Peter Jackson, helped open the final day by discussing how open source tools are used to produce the Lord of the Rings. First, however, he entertained the audience by providing a preview of the next Lord of the Rings release, The Two Towers In creating effects for a movie the first step for Weta is to scanning in the whole file for digitalization, "a process that takes two weeks," according to Ngan. The production system consists of 125 SGI machines running Irix, 200 Linux machines and 25 NT boxes. Rendering an effect completely takes around 20 hours and is then played back one a handful of Macintosh for review. Once finished it takes another 2 weeks to transfer back to film. The open source tools Weta uses included Perl and mySQL for data storage and manipulation. Ngan also noted "Apache and PHP are used for running [Weta's] Intranet." Using open source tools in such a rugged environment "pushes the boundaries, which helps solidify the tools." Weta Digital indeed tries to give back to the open source community when possible, but Ngan noted that there is little sharing of tools within the Computer Graphics Imagery industry, "everyone has created their own solution." Moreover, while Weta does own the tools it created and New Line Cinema owns the images created by those tools, the focus and dedication of resources is in the post-production work for Lord of the Rings. If Weta Digital is not selected to for any other production work it will simply cease to exist, thus limiting the resources available to prepare their code for release to the community. Bruce Sterling started his talk on "A Contrarian Position on Open Source" by conceding that he was the token novelist, a non-programmer, talking to programmers about how to program, something akin to "a non-miner going down a mine and asking, 'Why don't you take some time to plant something down here and brighten the place up?" Sterling took an opposing view to the "Cathedral and the Bazaar" metaphor of relating the open source methodology or "bazaar" to commercial "closed-source cathedral." "It's not really about a bazaar. Open Source is about hanging out with the cool guys - very tribal and very fraternal." Which means the price for using open source software such as Linux is "having to spend time with Linux Geeks." In fact if open source technology is analogous to anything it's "just like in a refugee camp, one puts in a long amount of time for nothing." But then again, what is the alternative? Foreshadowing Bruce Pernes' talk Sterling observed that a computer running Microsoft Windows is more akin to an airport. There are "men with automatic weapons, surveillance cameras all over the place. You can't sob as you kiss your mother goodbye at the airport, because it's all on videotape. Then a security check, assumes you've swallowed dynamite and will kill any one you see. All the while attendants ask you snidely 'Where do you want to go today? As if they're doing you some sort of favor." The real problem is that "the computer industry wants to be hot and sexy." 'Information wants to be Free' or 'Information is the Economy' are slogans heard all the time. Yet this isn't what computers are about, freeing information or making money. "Computers are about relationships," they are an enabling technology not an end unto themselves. Days before, Bruce Perens, who currently works as a Senior Strategist and Evangelist of Linux and open source software with Hewlett-Packard, was scheduled to talk; Perens started making the news with his plan to violate the DMCA by describing how to work around DVD player controls. Since the DMCA prohibits making information available on how to circumvent copyright controls, HP asked Perens to take a pass at opening himself and HP to litigation. "I care more about this than getting myself fired," Perens stated, "but the fact is that getting myself fired today would hurt Hewlett-Packard's Linux program." With the disclaimer that the talk he was about to present was his own personal opinion and not that of HP, Perens vocalized some of the problems he sees in the computer industry. His desire to discuss how to work around DVD controls such as the 'Zone Coding' constraint systems that limit what geographical region a DVD can be viewed in, was designed to highlight how the DMCA, "has no exception for fair use" and removes the personal choice of allowing someone to "purchase a DVD in England on vacation and watch it at home in America." Perens continued by stating his concerns with Microsoft's Palladium initiative which "is built on the assumption that the computer user can't be trusted, thus your own computer must prevent you from doing harm" and could be the "end of open computing." After all how can one run a system akin to Linux when a "chip on the motherboard mediates your access to information" and "all digital content is encrypted for mediation by the chip." People may not even be able to print out information from a web page for use away from one's computer without paying a fee. The "unpleasant sociopolitical implications are that this Supply-Side Thinking that dominates politics today devalues the customer, citizen, individual." Perens then picked up the common theme from those before him. "What Can You Do?" his presentation slide asked. Since "policy effects all of us and since we as individuals don't get the choice of voting with our wallets," we need to make our voice heard the 'old fashion way'. "Become pen pals with your politician - use paper not email, vote" and probably most importantly, "talk about this to the people around you." Professional Apache 2.0 1861007221 Tsan, Min Min Wrox Press Ltd's latest Apache book in its "Programmer to Programmer" series targets web server administrators and experienced Apache users who are interested in migrating from Apache 1.3 to Apache 2.0 web servers. Book Review: Professional Apache 2.0 "Professional Apache 2.0" by Peter Wainwright published recently in May 2002 by Wrox Press Ltd could be considered as the 2nd edition of "Professional Apache" out in 1999 by the same author and publisher with updated material on Apache 1.3, and information about Apache 2.0 such as new features and differences to Apache 1.3 added where appropriate. This "revision" includes contributions from 7 co-authors, splitting one chapter into two and fleshing out the second portion to create a new chapter about improving web server security, more third party modules, an introduction and a summary to each chapter, more diagrams, and the reorganisation of the sequence of some subsections within the chapters. The target readers of this book are experienced Apache users and web server administrators who are using Apache for the first time. It requires you to have a fundamental knowledge of the Web, operating systems, and network settings although the first chapter revisits the basics of networking, HTTP, and how Apache works. Its 896 pages are divided into 12 task-based chapters sequenced logically according to the flow of the thought processes when implementing a web server, and 10 appendices. Despite the name of this book, it does not fully concentrate on Apache 2.0 alone but covers a wide range of topics including performance, security, and third party modules such as FastCGI, PHP, mod_perl, mod_dav, mod_python, mod_snake, mod_tcl, mod_ruby, two connector modules for Tomcat - mod_jk and mod_webapp, and mod_ssl (including OpenSSL). Like its predecessor, the book is written in a continuous narrative style with many examples and tables, but is not suitable for occasionally browsing through as it lacks eye-catching sections for notes, tips, and warnings. The examples are provided using a mixture of Apache 1.3.24, Apache 2.0.28 (second beta release), and Apache 2.0.32 (third beta release). The book begins with a short introduction to basic concepts in chapter one, followed by different methods of installation, building Apache with various configuration parameters, structure of configuration file, followed by some basic configuration directives in chapter two to four. After that comes the advanced topics which include delivering customised and dynamic content, fine-tuning performance, and monitoring and analysing log files with third party programs. The next two chapters focus on a key topic - security: configuring various authentication methods, securing Apache with mod_ssl, hardening the underlying operating system and machine that Apache runs on, and setting up a security checklist. In the final chapter, detailed instructions on how to install third-party modules are provided for both Apache 1.3 and Apache 2.0. Here, generally, the Apache directives are not listed one by one with syntax and explanation as in other Apache books but instead are presented to the reader gradually through real-world examples. However, the appendices have two lists of all the directives sorted by module and name for easy reference, a list of additional third party modules (commercial and non-commercial), details of some commercial Apache variants, and a quick guide to the regular expression syntax used by Apache. Overall this is a comprehensive book for users interested in the Apache web server in general and for those intending to set up a secure Apache web server. Steps are provided on how to install a private key, generate a certificate request and temporary certificate, and apply for a signed certificate although it doesn't cover setting up a private Certificate Authority. It also includes enabling support for an SSL proxy, per-directory certificates, and external hardware cryptographic engines. If you are interested solely in Apache 2.0 and migrating modules to Apache 2.0, you may be in for a disappointment. Although most Apache 2.0 information can be found within this book it is dispersed with information about Apache 1.3. Depth is also sacrificed slightly for breadth of coverage. It would have served the reader better if it had distinct sections for steps that apply to both Apache 1.3 and Apache 2.0, steps that only apply to one particular version, the differences between versions, and steps for migrating from Apache 1.3 to Apache 2.0 with emphasis on the pitfalls to avoid. These flaws may be due to the fact that this book is actually a revised version of "Professional Apache". Instead of organising the book to enable readers to fully utilise and distinguish information between Apache 1.3 and Apache 2.0, the editors chose to insert information about Apache 2.0 into the original book where applicable and make updates to the information about Apache 1.3 where necessary. Despite its shortcomings, all is not lost, as this book really does contain a wealth of information - although you may have a little difficulty locating what you need and it may not delve into the subject as much as you would like it to. Contrary to my complaints, Chapter 12 does have clear-cut sections on building third-party modules under Apache 1.3 and Apache 2.0 with a specific section on how to migrate mod_perl from Apache 1.3 to Apache 2.0. It also includes steps for installing mod_snake (which is no longer maintained by its creator). Therefore, it may be worthwhile to get this book just for this last chapter of "Extending Apache" if you really need the third-party modules that are covered to work with Apache 2.0. Some readers may need to be reminded that chapter 12 is not about how to write modules for Apache 2.0 and thus does not cover the Apache 2.0 API. This book is ideal for someone who wants to know almost everything about Apache 1.3 and Apache 2.0, and has the patience and time to read through the book. Due to its verbose nature, some paragraphs may need to be re-read to fully grasp the meaning. If you're a very experienced Apache user and can't find a book about Apache 2.0, give this book a go and you may be pleasantly surprised (if you do not set your expectations too high). All you stand to lose is £37 (USD 50). Apache 1.3.26 Released Cox, Mark J Apache 1.3.26 was released on the 18th June 2002. This release addresses a recent security issue, some minor bugs found in the 1.3.24 release, and adds some new features. Apache 1.3.26 Released Cox, Mark J Apache 1.3.26 was released on the 18th June 2002. This release addresses a recent security issue, some minor bugs found in the 1.3.24 release, and adds some new features. Apache 1.3.26 was released on 18th June 2002 and is now the latest version of the Apache 1.3 server. The previous release was 1.3.24, released on the 22nd March 2002. See what was new in Apache 1.3.24. Apache 1.3.25 was never released. Apache 1.3.26 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site. This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 1.3.26 should upgrade to Apache 1.3.26. Read more about the other security issues that affect Apache 1.3. Fix the chunked encoding security vulnerability. () The main new features in 1.3.26 (compared to 1.3.24) are: Add text/xml, application/xhtml+xml, audio/mpeg, and video/quicktime mime types to the mime types magic file. Added a -F flag which causes the supervisor process to no longer fork down and detach and instead stay attached to the tty. This allows integration with daemontools. The following bugs were found in Apache 1.3.24 and have been fixed in Apache 1.3.26: Allow child processes sufficient time for cleanups but making ap_select in reclaim_child_processes more "resistant" to signal interrupts. In Darwin, place dynamically loaded Apache extensions' public symbols into the global symbol table. This allows dynamically loaded PHP extensions. Fix for a problem in mod_rewrite which would lead to 400 Bad Request responses for rewriting rules which resulted in a local path. Note: This will also reject invalid requests as issued by Netscape-4.x Roaming Profiles (on a DAV-enabled server) Recognize platform-specific root directories (other than leading slash) in mod_rewrite for filename rewrite rules. Disallow anything but whitespace on the request line after the HTTP/x.y protocol string to prevent arbitrary user input from ending up in the access_log and error_log. Also control characters are now escaped. A large number of fixes in mod_proxy including: adding support for dechunking chunked responses, correcting a timeout problem which would force long or slow POST requests to close after 300 seconds , adding "X-Forwarded" headers, dealing correctly with the multiple-cookie header bug, ability to handle unexpected 100-continue responses sent during PUT or POST commands, and a change to tighten up the Server header overwrite bug-fix. mod_perl Developer's Cookbook Tsan, Min Min 0672322404 "mod_perl Developer's Cookbook" by Geoffrey Young, Paul Lindner, and Randy Kobes which was first printed by Sams Publishing in January 2002 is a much-awaited addition to the few existing books which are exclusively about mod_perl Book Review: mod_perl Developer's Cookbook "mod_perl Developer's Cookbook" by Geoffrey Young, Paul Lindner, and Randy Kobes which was first printed by Sams Publishing in January 2002 is a much-awaited addition to the few existing books which are exclusively about mod_perl. mod_perl is the bridge that empowers Perl and Apache users with the full strength of the Perl programming language and the Apache web server. The primary author, Geoffrey Young is an active member of the mod_perl community and has written modules such as Apache::Clean, Apache::DebugInfo, and Apache::Dispatch amongst others which can be found on CPAN (Comprehensive Perl Archive Network, a large collection of Perl modules and documentation). Co-authors Paul Lindner, an experienced open-source developer, and Randy Kobes, a professor of physics at the University of Winnipeg in Canada, both use mod_perl extensively and have contributed modules such as HTML::Clean and Apache::WinBitHack to CPAN. The latter is no stranger to Perl books as he has written "Perl Developer's Toolkit" and co-authored "Professional Perl Development" in addition to implementing a CPAN search engine. Perl developers who want to create Web applications by harnessing the flexibility of Apache, and mod_perl enabled Apache web site administrators are the target audience of this book. Meanwhile, the authors intended it to be a practical, hands-on reference guide containing working, real-world examples. All examples use perl 5.6.1, Apache 1.3.22, and mod_perl 1.26 built with all supported options enabled (EVERYTHING=1). This 650-page book has 17 chapters and 3 appendixes, grouped under three main parts - Part I covers installing and configuring mod_perl, Part II covers the mod_perl API, and Part III covers each of the Apache directives provided by mod_perl. The essence of each part is summarised at the start before moving on to the individual chapters. Each chapter begins with an introduction, is then followed by subsections referred to in the book as recipes. Each recipe is for a specific task or problem and has the following format - it states the objective of the task in just one sentence, proceeds to provide the code for the task under the "Technique" subsection, and then explains what the code does under the "Comments" subsection. There are a total of 192 recipes. Chapter 1 and 2 which are under Part I start off with the basics of installing mod_perl by using various methods from using a binary version to building it statically or as a DSO (Dynamic Shared Object) module from source on an assortment of platforms which include Linux, Solaris, Microsoft Windows, and Mac OS X. It then talks about how to configure the Apache httpd.conf file to make use of mod_perl which has just been installed. Part II can be considered the section where you learn the theory of the fundamentals of Apache and mod_perl API. It explains how Apache processes requests in a series of phases, delves into how by using mod_perl, Perl code could be executed during any of these phases, and talks about how the mod_perl API corresponds to them. It shows you how to access the Apache request, server, and connection records, manipulate all the fields in them, looks at how Apache handles file operations, and teaches you how to write, test, debug, fine-tune, configure, package, and distribute your own mod_perl handler. The last chapter in this section explains about mod_perl's object-oriented mechanisms. Part III is where you apply what you have learned in the previous section in real world problems. It illustrates how mod_perl handlers can be used within each of the Apache phases, and shows how the mod_perl API fits into each of the Apache phases with a nice diagram. The seven chapters under this segment explain in detail about each mod_perl Perl*Handler directive and provide scenarios where they can be used. Lastly, appendix A lists all the mod_perl hooks and build options, appendix B lists the constants to be used in mod_perl API programming, and appendix C has quite a complete list of resources followed by the index. Overall, this is a good reference book as the source code samples make up 50% of the content so you can readily customise them to meet your requirements. The commentaries are easy to understand as they are written in a simple, narrative, and lucid style despite the numerous technical terms used. However, it could use more diagrams to illustrate complex concepts as currently flow charts, diagrams, and screen shots are used sparingly but effectively to simplify abstract ideas. In my opinion, the best way to make full use of this book is to skim through the whole book and read only the the introduction of each part and chapters, and then the objective of each recipe. Then go back to the recipe that interests you most and study the sample code while digesting the explanation provided under the "Comments" subsection so that you may write your own Perl module using the code as a guideline. Although this book is aimed at all Perl developers, beginners may find it difficult to grasp the concepts. The objective of the recipes can be quite distinct at times and this can disrupt the continuity and logical thought process of beginners as they move from one recipe to another sequentially. As a result, the mod_perl novice may find it difficult to gather their thoughts and digest the wealth of information provided. Therefore I find that Sams Publishing has correctly categorised this book under "User Level: Intermediate-Advanced". It is undeniable that those who are not familiar with Apache's API and mod_perl at all will be totally lost and drowning in this sea of recipes because in order for one to be able to whip up a tasty meal by using a cookbook as a guide, one must be able to identify and obtain the ingredients of the recipe beforehand. To be fair, the authors did recommend that readers use this book alongside "Writing Apache Modules with Perl and C" by Lincoln Stein and Doug MacEachern, and the online mod_perl Guide by Stas Bekman to achieve better understanding. The authors also state that they assume and I quote them here: "that the reader has a good background in Perl, a fair understanding of Apache, and understands the basic concepts of building a Web application, Web protocols, and HTML, and in some of the more complex examples we may assume a level of mastery that exceeds the typical audience.". Although the authors cautioned that this book is by no means comprehensive, I would say that this book is as close as a book can get to become the bible of mod_perl so if you are really serious about mod_perl, then get it by all means! It may set you back nearly 30 pounds (USD40) but it is well worth-it. Even if you are a beginner, eventually you will find this book useful after you are through with all the online mod_perl guides and documentation. Experts will have fun jumping right in, going through the recipes and rediscovering the joy of finding a dish that they have not tasted before. For a taste of the meals yourself, you may drop in and pay a visit to its companion website where you can read through the table of contents and the sample chapters. You may also wash, cut, chop, mix, bake, stir, whip, roast, steam, sprinkle, stir-fry, fry, pinch, rinse, barbecue, eat, drink, and swallow your way through its source code repository, errata, and other resources provided. Enjoy! Apache 1.3.24 Released Cox, Mark J Apache 1.3.24 was released on the 22nd March 2002. This release addresses a security flaw on Windows, some minor bugs found in the 1.3.23 release, and adds some new features. Apache 1.3.24 Released Apache 1.3.24 was released on the 22nd March 2002. This release addresses a security flaw on Windows, some minor bugs found in the 1.3.23 release, and adds some new features. Apache 1.3.24 was released on 22nd March 2002 and is now the latest version of the Apache server. The previous release was 1.3.22, released on the 24th January 2002. See what was new in Apache 1.3.23. Apache 1.3.24 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site. This is a security, bug fix and minor upgrade release, with a few new features. Users should upgrade if they are running on Windows, will be affected by the particular bugs mentioned below, or would like to use any of the new features. Due to security issues, any sites using versions prior to Apache 1.3.22 should upgrade to at least Apache 1.3.22. Read more about all the security issues that affect Apache 1.3. Apache for Win32 before 1.3.24 allows remote attackers to execute arbitrary commands via parameters passed to batch file CGI scripts. More details in Apache Week issue 288 or The problem occurs because the input is not properly validated; it is possible to append commands as parameters to the batch file CGI script and have the shell interpreter execute them The characters % and \r have been added to the dangerous Win32/OS2 characters list, and the command line is now passed to the interpreter double quoted. In addition Apache now introduces earlier identification of command.com vs cmd.exe, and treats command.com as a 16-bit application As additional protection in case future CGI argument vulnerabilities are discovered, a new directive CgiCommandArgs off has been added to allow administrators to completely disable the query argument passing mechanism in Apache A bug was found that could cause invalid hostnames to appear in Apache log files. If a double-reverse lookup was performed (for example for Allow from .example.com) but failed, then a spoofed dns-reverse-address could appear in the logs. Note this bug doesn't give any access to protected resources, it only affects what gets written to the log file The main new features in 1.3.24 (compared to 1.3.23) are: Add IgnoreCase keyword to the IndexOptions directive to allow filename listings to ignore case The proxy code read chunks from the backend server in a hardcoded amount of 8192 bytes. A new directive ProxyIOBufferSize has been added to specify the size of the read buffer from the remote server Previously the proxy would wait until the response had been delivered to the client completely before closing the backend connection. Now the backend connection is closed as soon as the last byte is read from it, freeing up resources mod_alias writes a warning to the error log if it fixes up a incomplete redirection target (such as turning /foo into http://host/foo). Since this is a supported operation the message has been demoted so that it will only show up at LogLevel Debug When using mod_proxy to access FTP sites it was impossible to reach a higher directory than the logged in directory, as combinations of /../ are interpreted by the browser and not sent to the server. This problem affects other proxies as well. The Squid proxy uses a "Squid %2f hack" which has been adapted to work in Apache. By prepending /%2f to the path of your request, you can make the proxy change the FTP starting directory to / instead of starting at the home directory for the logged in user The main new features that apply to specific platforms are: Provide new logging to assist Win32 users debug CGI scripts. When at LogLevel info the cgi command invoked is logged. When at LogLevel debug the environment variables are also logged Added a logging module for NetWare, mod_log_nw, as NetWare is unable to use the RotateLog utility Added a -e command line directive for NetWare to force all fatal configuration file errors to the logger screen. This allows Apache to shutdown cleanly and completely on an error condition The following bugs were found in Apache 1.3.23 and have been fixed in Apache 1.3.24: Fix a segfault condition in mod_include which could be triggered by improper termination of conditional directives such as #if Fix a problem in mod_proxy where the Server header from the backend system would be replaced by one from Apache. This violated RFC2616. This fix has introduced a further issue which allows modules to override the Server header, but this will be fixed in the next release There is a problem in mod_proxy where each entry of a duplicated header such as Set-Cookie would overwrite the previous value of the header, resulting in multiple header values (like cookies) going missing. A fix was committed to 1.3.24 but doesn't fix the problem Fixes to apxs to allow the -S option to contain quotes, and to rebuild apxs when options have been changed The Location response header, used for external redirects, must be an absolute URI. The Redirect directive tested for that, but RedirectMatch did not and would allow almost anything through Fix a longstanding bug that errors returned by src/Configure would not be noticed by the top level configure script. That was bad for automated production environments, as errors would pass through unnoticed mod_proxy would send a HTTP/1.0 request even though it is now compliant with HTTP/1.1 A number of other changes have been made to FTP handling in mod_proxy including properly escaping file names from directory listings, a cleanup to the output HTML, the output of directory listings in ASCII to avoid issues with EBCDIC servers, and the closing of the data and control channels to the server properly Previous fixes to mod_rewrite in Apache 1.3.23 broke the ability to do random balancing. , The following bugs relate to specific platforms: The Win32 port has had the remaining cases of blocking network IO eliminated A change has been made on TPF to make make the ap_open_logs call the same as other platforms and prevent a possible SIGPIPE in standalone_main Work around a bug in Windows XP that caused data corruption on writes to the network The support for enabling pthreads-based accept() serialization using the AcceptMutex configuration directive suffered from a serious problem on Solaris platforms as the pthreads library was not being linked into the httpd executable. This meant stub versions of the mutex functions are used from the C library, which resulted in no serialization being enforced Apache 1.3.23 Released Cox, Mark J Apache 1.3.23 was released on the 24th January 2002. This release addresses some minor bugs found in the 1.3.22 release, and adds some new features, including HTTP/1.1 support for mod_proxy Apache 1.3.23 Released Apache 1.3.23 was released on the 24th January 2002. This release addresses some minor bugs found in the 1.3.22 release, and adds some new features, including HTTP/1.1 support for mod_proxy Apache 1.3.23 was released on 24th January 2002 and is now the latest version of the Apache server. The previous release was 1.3.22, released on the 12th October 2001. See what was new in Apache 1.3.22. Apache 1.3.23 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site. This is a bug fix and minor upgrade release, with a few new features. Users should upgrade if they will be affected by the particular bugs mentioned below, or would like to use any of the new features. Due to security issues, any sites using versions prior to Apache 1.3.22 should upgrade to at least Apache 1.3.22. Read more about security issues that affect Apache 1.3. The main new features in 1.3.23 (compared to 1.3.22) are: HTTP/1.1 support has been added to mod_proxy after being backported from the Apache 2.0 updates started last April. The updates include support for Cache-Control, content negotiation using Vary, persistent connection handling, and much more. A new directive, FileETag allows the format of the ETag to be controlled via runtime directives. Find out more about this new feature. Addition of a 'filter callback' function to enable modules to intercept the output byte stream for dynamic page caching The following bugs were found in Apache 1.3.22 and have been fixed in Apache 1.3.23: Fix incorrect Content-Length header in 416, "Range Not Satisfiable" responses Revert mod_negotiation handling of path_info and query_args to the 1.3.20 behavior. , , Prevent an Apache module from being loaded or added twice due to duplicate LoadModule or AddModule directives Add run-time validation of the Group directive, to catch invalid but syntactically correct values. The following bugs relate to specific platforms: Versions of FreeBSD from August 2000 include a feature called "accept filters" which delay the return from accept() until a condition has been met. Apache will now use the "httpready" accept filter rather than "dataready" on FreeBSD after 4.1.1-RELEASE where it works correctly. More details of accept filters are available. Some fixes for Netware including link problems with mod_vhost_alias, file locking updates to get mod_auth_dbm to work, and a problem when accessing an empty directory which has option indexes specified producing an access forbidden message On HPUX 11, an ENOBUFS, No buffer space available error occurs when an accept() cannot complete. This error is now ignored so that child processes don't get incorrectly terminated Win32 platforms would incorrectly always return forbidden in response to a OPTIONS * request Unixware 7.0 and later did not have a default locking mechanism defined. This bug was introduced in apache 1.3.4 A number of fixes for Cygwin including a better default mutex as well as better proxy and DBM support A bug on Win32 could cause Apache to stop responding to requests for a period of time if the MaxRequestsPerChild directive was set to anything other than 0. MaxRequestsPerChild of 0 is the recommended setting Win32 will now output an error message if the server hits the ThreadsPerChild limit. This is useful for administrators to detect when their server is running out of threads to handle requests Tsan, Min Min Featured Articles 2001 Our selection of the best featured articles from our weekly newsletters. Read about everything from "Apache and Tomcat" to "Apache Security" Featured Articles 2001 Each week Apache Week brings you our pick of the best Apache related articles from around the web. In this special feature we select our favourites from each category. The Developer Shed kicks off the new "Getting More Out Of Apache" series with virtual hosts and Server-Side Includes. In part 2 of "Getting More Out Of Apache", the Developer Shed shows you how to implement basic user authentication and set up access control groups. It also talks about Apache logging capabilities and the powerful URL rewriting module. "Setting up Apache with mySQL, Frontpage 2000 Extensions, and PHP NHF" is a Newbieized Help File (NHF) written by Dallas Engelken for newbies to get Apache up and running with Frontpage support in no time at all. In "Linux for Newbies, part 22", Gene Wilburn stresses on the benefits of compiling Apache and any related modules by hand. Instructions are given for removing existing Apache and PHP from one's system before compiling them again from source. By doing this, users control how the packages are built and choose the locations for the various parts. If you prefer to build Apache from source manually, you may be interested to refer to Apacompile which basically is a set of instructions and examples for compiling Apache and other common modules such as mod_ssl, mod_auth_ldap and mod_php. There are still some configuration samples yet to be completed. For those using Mac OS, here's a straightforward step-by-step tutorial on building Apache 1.3.22 and PHP 4.0 for Mac OS X 10.1 However, the instructions don't include integrating mod_perl or mod_ssl. The Developer Shed presents step-by-step instructions for building Apache, MySQL, WebDAV and PHP on Mac OS X. All these programs compile and run on Mac OS X due to its BSD-based UNIX core known as Darwin. To avoid confusion, the Apache Web server built is not enhanced with mod_ssl. Noel Davis looks at how to overcome an Apache on Mac OS X security issue which only involves those who store files on Mac OS X's HFS+ file system. Three workarounds are available for this problem. Kevin Hemenway unravels the mystery of the built-in Apache web server that comes with Mac OS X in his first article of a new series about serving web pages from a Mac. You'll learn how to start up Apache, access your personal home page, locate Apache's DocumentRoot, and customise the default web page. This is just the appetiser - there are more to come in the next installment when Kevin gets down to the crux of maintaining a full-fledged web site. Apache on Windows NT, how does it compare to Apache on UNIX or other web servers such as IIS? Apache Today has the answer. Windows users who are interested in using Apache but are discouraged by the apparent lack of online information about this topic may like to check this out. "A Feather in Your NT Cap" persuades users running Microsoft's Internet Information Server (IIS) on Windows NT to migrate to Apache on NT. It lists the three limitations of Apache's ISAPI implementation, describes two main ways of installation, gives an overview of the configuration, and shows you how to start Apache as an NT service. At WebTechniques.com, Jim Jagielski has a few tips for those who are providing web-hosting services in "Customer Number One". He looks at two methods for Apache on how to provide every customer with dedicated server performance and quality guarantees in a shared server environment as if he or she is the only customer. The first uses mod_throttle to control various parameters, such as the number of requests or the total bandwidth used on a per server, virtual host, location, directory or user basis. The second allows CGI scripts to execute under its own user and group ID using suExec. He also discusses the pros and cons of running multiple instances of Apache simultaneously. "Save Your Site from Spambots" teaches you how to use mod_rewrite to redirect "spambots", software packages that crawl the Web harvesting e-mail addresses and adding them to bulk e-mail lists, to a specific page that has "special" messages just for them. Since this method uses the content of the User-Agent: HTTP header to identify the "spambots", it won't prevent "spambots" that masquerade as other browsers from scraping e-mail addresses from your web site. Other solutions are presented as well and the one recommended is "spamtraps" - special addresses that are solely used for catching spammers. The author concludes that the best way to combat unwanted bulk e-mail is to immediately report spam to the ISP from which it originates as many times as it takes until the ISP takes the necessary actions. The administrators at evolt.org are "Using Apache to stop bad robots". In a short article they show how they capture robots that not only ignore the robots.txt file, but deliberately try to index files they are told not to. Morbus Iff develops a "Search Engine Friendly SSI Image Gallery" in his article on evolt.org. The article shows how to create a dynamic image gallery, using only the features built into a core distribution of Apache. WebmasterBase.com looks at the pros and cons of three methods of passing information to your web pages without the use of a query string so that your web site has search engine-friendly URLs. The methods are the implementation of PATH_INFO, .htaccess error pages, and the ForceType directive, and have been tested using PHP with Apache on Linux but they should also work on other platforms. Information Security Magazine presents an article on improving Apache and a case study on companies that swear by (not at) Apache in its April issue. It starts off by refuting the mindset that running Apache guarantees security although it readily admits that Apache deserves its reputation for being a secure Web server. Then it provides the steps for installing Apache and mod_ssl, securing the underlying Linux server, and testing Web applications for vulnerabilities. Sys Admin magazine presents Apache::Motd, an Apache module based on the "Message Of The Day" utility found on UNIX systems. It intercepts user's initial request and displays the contents of the motd file before serving the requested page. Carlos Ramirez, its creator walks us through the installation and configuration process. Linux Gazette provides three different options to redirect a request to another virtual host running on the same webserver. If you want to distinguish yourself from the boys, the solution is to use mod_rewrite under a Virtual Host container. It also shows you how to achieve the same results using a Perl script or the Redirect directive. "Apache CodeRed Countermeasures with PHP: codeRedKiller!" provides a solution on how to prevent Code Red requests from reaching your Apache Web server by using PHP and bash. Basically it uses a PHP script to record the source IP address of the request and then runs a shell script to set up a filter in your firewall to block any further requests from the same source. You could use a simple shell script to parse your Apache error log to obtain the source IP address instead of using PHP. This article also advises you to ensure that the source IP address is not spoofed. The drawback is that all other valid requests from the source IP address will be stopped from reaching your web server permanently until you remove the filter. Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is not a new B-grade movie but how you can be a good internet citizen and let people know that their server has been infected by the Worm. One way is by using Apache::CodeRed written by Reuven M. Lerner. In this article, he explains how the module intercepts requests for /default.ida, determines the host name of the HTTP client, sends only one warning e-mail message in a 24-hour period to SecurityFocus and the administrator of that client, and keeps a list of IP addresses to be ignored.