Apache Week
   

Copyright 1996-2005
Red Hat, Inc.

Apache 1.2 Guide :

A guide to everything new and changed in Apache 1.2

First published: 6th June 1997

Major Features

The biggest single change in Apache 1.2 is the support for HTTP/1.1. However there are also major changes to simplify configuration, provide better help, speed up network transfers, log requests to multiple files, switch UID for running CGIs, use regular expressions in various places, make debugging CGI easier, and more.

HTTP/1.1

Apache 1.2 is fully compliant with the new HTTP/1.1 standard (except for the proxy module). Some of the power of HTTP/1.1 support will not be apparent until browser are available which implement it. The major changes are:

  • All possible status values are now defined
  • Byte ranges fully implemented for receiving
  • Content negotiation by content type, language, charset and encoding
  • Content negotiation can return 406 status with a list of possible variants, if none are suitable for the browser's preferences
  • Much better cache control with Cache-Control and Vary headers, and use of entity tags (etags)
  • New preconditions with If-Match, If-None-Match, If-Range, If-Unmodified Since request headers
  • New request methods OPTIONS and TRACE join the existing GET, PUT, POST etc
  • Persistent connections implemented, and internally copes with some known buggy browsers
  • Resources can be in multiple languages
  • Sends a 'etag' with the response where possible (i.e. if sending a file), which can be used for more efficient caching
  • Support for reading and sending 'chunked' encoding
  • The default handler can send byte ranges and multipart documents

Other new features

  • Configuration process simplified
    Configuring Apache is now much easier. The Configure script automatically identifies the operating system and compiler to use. These can still be set in Configuration if required. Many more operating systems are now supported. A Makefile is created in the support directory.
  • Better Help, Documentation and Bug Tracking
    Various updates to provide help: the new -h option lists all the available directives, while -l lists available (compiled) modules. The descriptions of the directives has been updated and expanded. A -v option gives the version number of Apache. The full Apache documentation comes in the distribution, while a new FAQ and comprehensive bug tracking database are available on www.apache.org.
  • Network Improvements
    Persistent connections are now faster, and are used in more cases. Network traffic has been reduced. Persistent connections are not used if the browser appears to be one that has a bug in its implementation.
  • Graceful Restarts to Avoid Dropping Connections
    Apache can be told to re-read configuration files and re-open log files, without dropping connections in progress, as currently happens with a -HUP restart.
  • Better Logging
    The configurable log module is now the default. It can now log each request to multiple log files, each in a different format. There are several extra items which can be logged: filename (%f), notes from other modules (%n), port of request (%p), PID of child handling request (%P), formatted time (%t), time to service request in seconds (%T), URL path requested (%U) and name of server or vhost (%v).
  • More Control over Files
    It is now possible to apply directives to individual files with <File>, which can appear in access.conf or .htaccess files. Multiple files can be selected using regular expressions (which can also now be used in <Directory> and <Location>).
  • Running CGIs as Other Users
    A helper program (suexec) can be configured to run CGI scripts as other users. If the CGI is in a public_html directory, it can run as the user whose directory it is in, or a user can be set for each virtual host. Various security checks are performed before running CGI as another user.
  • More NCSA-Compatibility
    Some directives have been updated to be more compatible with the NCSA HTTPd. The Satisfy, RedirectTemp and RedirectPerment directives are now implemented. AuthUserFile and AuthGroupFile can now take an argument to specify dbm format files. KeepAlive and MaxKeepAliveRequests are NCSA compatible.
  • Easier CGI Debugging
    It is now possible to log the input and output of a CGI script when an error occurs. This will make debugging CGI programs much easier.
  • More Includes Directives
    Server-Side-Includes (SSI) have a number of important new features. Variables can now be set and tested, and regular expressions can be used. Code can be conditional, using if...endif directives.
  • Content Negotiation Enhanced
    Content negotiation has been updated to meet the HTTP/1.1 specification. In addition some special cases are catered for to cope with browsers which currently send incomplete negotiation information.
  • Better Control over Options
    Options can now be set or removed on an individual basis, rather than having to set all the options at once.
  • More Configurable Authentication
    It is now possible to restrict pages by username and password, but to let users from particular domains access the pages without giving a password. This is implemented with the Satisfy directive. Restrictions can be applied to individual files with <File>, and to files which match a regular expression.
  • SetUID Execution of CGI Programs
    CGI programs can be executed as other users (on a per-virtual host or per-userdirectory basis) if the optional suEXEC code is compiled.
  • Conditional Modules and Directives
    Part of the configuration files can be made conditional, depending on what modules are currently loaded. The <IfModule>...</IfModule> section surrounds directives which are only executed a particular module is loaded (or not, if the test is negated). Compiled in modules can be activated or disabled, with ClearModuleList and AddModule.
  • Preventing Too Many Resources Being Used
    New directives can set total amount of resources that can be used to child processes (such as CGI scripts). This can be used to prevent run-away scripts from taking over the system. The resources which can be limited are: cpu usage, virtual memory usage and number of (sub-) processes. This feature is available on operating systems which implement these restrictions.
  • Virtual Host can Handle Multiple Addresses and be a Default
    Each virtual host can now be configured to handle requests on multiple addresses, by listing the addresses in the <VirtualHost ...> directive. Also a virtual host can be defined to accept requests not handled by any other host (instead of leaving them to the main server configuration).
  • Can Return HTTP Redirect Permanent, Gone or See Other Status
    The Redirect directive has been enhanced to allow for additional response codes. The current Redirect directive always returns a "temporary redirect" code. In 1.2, the redirect code can also be "permanent redirect" or "see other", or a resource can be marked as "gone" (permanently removed).
  • Better and More Robust Performance
    The code has been cleaned for easier maintenance and to fix various bugs. Error conditions are dealt with better, including network problems, timeouts and signals. It is better commented. Various performance optimisations have been applied to enhance speeds. Network traffic has been reduced where possible by sending larger blocks of data. Persistant connections are used if possible, even after error statuses.
  • Major Changes to the Proxy Module
    The proxy module has been extensively updated for this release. It is not yet compliant with HTTP/1.1.

Other Changes

There are a lot more smaller changes, some of which are listed here:

  • BADMMAP compilation directive removed
  • Checks to see if Apache is linked to modules compiled with a previous version of the module API.
  • Checks argument to Port directive is a number and not 0.
  • Cookies used by the usertrack module are not sent by default, unless enabled by CookieTracking. The initial cookie request is now logged. The CookieLog directive is deprecated.
  • Does not flush output after headers (with was a 'hack' to get around a bug in keep-alives in a some versions of Netscape. Apache now does not use keep-alives if this version is being used)
  • The maximum value of MaxClients has been increased from 150 to 256. Attempts to set a value higher than this will display a warning message.
  • Compilation rule to tell IRIX that NIS is running (Rule IRIXNIS=yes)
  • Some systems failed to notice when the child Apache processes died, leading to scoreboard entries for dead processes. An explicit check for dead processes is now performed each 60 seconds, and the scoreboard updated if necessary.
  • CGI programs can get the port on the remote system in the environment variable REMOTE_PORT and the original URI is REQUEST_URI.
  • Error code number not shown in <h1>..</h1> on error page
  • As defined in HTTP/1.1, an empty Accept-Encoding: request header means that no encoding is acceptable (previously it meant any encoding was acceptable)
  • Status screen output has been tidied up, and now also lists the server host name servicing the request (the virtual host or main server)
  • Responses can be marked as HTTP/1.0 rather than HTTP/1.1 if the force-response-1.0 environment variable is set
  • Access can be denied based on which environment variables are set
  • Return 404 status on POST to bad URL (previously used 405)
  • Linux now defaults to shared-memory scoreboard (not available on 1.2 kernels, or Alpha hardware)
  • Better error_log messages, including Unix system call error status
  • Modules can be placed in separate directories
  • If virtual host cannot be configured (hostname cannot be resolved) then Apache continues to start-up but disables this virtual host.
  • Can now work-around bugs in MSIE and Netscape Navigator when serving PDF files, and bug in Navigator which cause cause broken images.
  • Modules re-ordered to allow rewrite and alias modules to process requests before they are handled by the proxy module (if enabled).
  • Preserve query_string information during a redirect.
  • If the client connects but does not send a request, log a 408 ("Timed Out") error instead of a OK response (200).

Major Modules Changes

New Modules

The following modules have been added to this version of Apache. Of these, only mod_browser is compiled in by default. The other modules here are optional, and to use them you need to uncomment the appropriate line in Configuration and re-compile Apache.

  • API Example Module (mod_example)
    This example module can be used to see how Apache processes requests. It is not compiled in by default and should not be used in a "production" server.
  • FastCGI (mod_fastcgi)
    This module implements the FastCGI method of invoking sub-processes, which is faster and more configurable than CGI. It is available from the FastCGI site and is not part of the Apache distribution.
  • Set Response Expiry Times (mod_expires)
    This module can be used to set 'expiry' times on responses. This can be used to tell caches about the expected life-time of resources, to make caching more efficient or to prevent users seeing out-of-date information.
  • Set or Remove HTTP Headers (mod_headers)
    This module allows individual HTTP headers to be set or removed.
  • Set Environment Variables based on Browser (mod_browser)
    This module can be used to set environment variables based on the 'user agent' that created the request. This could be used to set environment variables based on the capability of the browser.
  • Rewrite Requested URL (mod_rewrite)
    This module provides a generic way of re-writing the incoming request URL based on various aspects of the request.

Modules Changed

  • Cookies module renamed Usertrack (mod_usertrack)
    The cookies module (mod_cookies) has been rename usertrack (mod_usertrack) to prevent confusion over what it does. As in previous releases, this module is not compiled in by default.
  • Config log module replaces common log (mod_log_config)
    The common log module (mod_log_common) has been replaced by the configurable log module (mod_log_config) as the default log module. This module has been enhanced to allow multiple log files, so it can also replace most of the functionality of the mod_log_referer and mod_log_agent modules (although it is not a complete replacement for these modules).

Directive Changes

This section lists the directives which are new in this release, or which have changed their behaviour or syntax. Note that only the modules compiled in by default are covered here, and the directives provided by the new modules are not listed (see the documentation for the module concerned for its directives).

New Directives

  • <Files>... </Files> section applies directives to individual files, or files that match a wildcard or regular expression.
  • <IfModule>...</IfModule> make directives conditional depending on which modules which are compiled in
  • CustomLog adds a transfer log with a custom
  • MaxKeepAliveRequests sets the number of requests per connection instead of KeepAlive
  • RLimitCPU, RLimitMEM and RLimitNProc limit resource usage of sub-processes
  • Redirect can take an optional first argument giving the status value to return (one of temp, permanent, seeother, gone or a numeric status).
  • RedirectTemp and RedirectPermanent added for NCSA-compatibility (but Redirect status should be used instead).
  • ScriptLog set a logfile for CGI debug output
  • ScriptLogBuffer set a maximum size for PUT or POST data logged to a ScriptLog file
  • ScriptLogLength sets an overall maximum size for a ScriptLog logfile
  • SendBufferSize sets the size of the TCP send buffer

Changed Directives

  • <Location> now only matches full URL segments (<Location> /i does not match URL /info, for example)
  • <Location> and <Directory> can match the URL or path (respectively) against a regular expression
  • <VirtualHost> can take multiple addresses
  • Anonymous_Authorative has been renamed to Anonymous_Authoritative
  • AuthDigestFile can take optional second argument of "standard" (for NCSA compatability)
  • AuthUserFile and AuthGroupFile are now NCSA compatible, with an optional second argument which can be either dbm or standard (dbm is only valid if the optional mod_auth_dbm module is compiled in)
  • Auth_MSQL_Authorative has been renamed to Auth_MSQL_Authoritative
  • deny has been updated to allow an argument of user-agents followed by a list of user-agents to deny access
  • IdentityCheck timeout now 30 seconds rather than 60
  • KeepAlive now takes an "On" or "Off" argument, rather than a number (if a number if used, 0 means Off while any other number means On). If switched on, the default requests per connection is 100. See also MaxKeepAliveRequests.
  • Options can set or remove individual options, instead of replacing all the options currently in force
  • Timeout defaults to 300 seconds instead of 1200
  • TransferLog can now be used more than once in each main server or virtual server
  • User and Group can be set inside virtual host sections, and are used when running sub-processes (e.g. CGI) if the server is configured for setuid execution
  • In all directives, a backslash character (\) now only escapes quotes or / chars (e.g. XXX "123\"456" gives argument 123"456. Previously \ could escape any character

Configuration and Support Program Changes

Sample Configuration

The conf directory contains examples of the four configuration files needed: httpd.conf, srm.conf, access.conf and mime.types. Each of these files has been updated slightly.

  • httpd.conf
    Example BrowserMatch directive is given, which disables keep-alives for browsers which had a buggy implementation.
  • srm.conf
    No changes (except in the sample domain names)
  • access.conf
    An example <Location> section to log attempts to access the phf CGI program is given. phf has a security hole which is actively being exploited, and should immediately be removed. This example shows how to log people trying to access this program, possibly in an attempt to hack your site. The logging is done at the apache.org site, or you can log it locally using a supplied CGI program in the support directory.
  • mime.types
    A type has been added for midi files, and removed for .gz and .Z files (they should be marked as an encoding type, not a media type).

In all files, all domain names have been replaced with names that can never occur on the Internet.

Support Programs

A new CGI program phf_abuse_log.cgi is provided which can log attempts to access the phf CGI program.

The program suexec is provided as C source. If compiled, this can be used with Apache to allow for the execution of programs as users other than the default server user. It makes extensive checks before it runs the CGI as another user to prevent security problems.

Other than these two new programs, there are no functionality changes to the programs in the support directory. The C programs have been updated to prevent compiler warnings on some systems, and the perl dbmmanage now creates passwords with a random 'salt'.


Comments or criticisms? Please email us at editors@apacheweek.com