Apache Week
   
   Issue 259, 17th August 2001:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Under development

The 2.0.23 release joins the list of abandoned 2.0 releases, suffering from a segfault in mod_mime caused by some recent optimisation work in the module. A fix has been committed and 2.0.24 is currently in testing.

Graham Leggett has been working on LDAP support for Apache, submitting an LDAP abstraction layer for the APR utility library which provides a common interface to the several LDAP libraries available today such as OpenLDAP. He went on to implement an LDAP-based authentication module for Apache 2.0 using this new API. There was some discussion about storing Apache configuration directives within an LDAP database; the consensus was that this is best achieved using a pre-processor program rather than adding LDAP configuration support.


In the news

The Apache HTTP Server: It's just a Web Server

Linux Today have a controversial guest column "Will Open Source Lose the Battle for the Web?" The author looks at why users would switch from Apache to IIS:

"it's nothing short of miraculous that Apache managed to retain its market share for about two years while essentially treading water. Let's face it, in spite of a few point releases, Apache hasn't introduced any significant user features in two years"..."Even Apache 2.0 (when it finally deigns to appear) won't offer any really revolutionary user benefits. It's just a better architecture for a vanilla webserver. What we need today is no longer a webserver, but a web services delivery platform. Sorry, but Apache doesn't cut it anymore..."

The aim of the Apache httpd project is to develop and maintain an open-source HTTP server and to provide secure, efficient and an extensible server providing HTTP services in sync with the standards. The Apache web server often forms part of a complete web services delivery platform.

The article has generated a large debate on the Slashdot news site.

Apache Software Foundation member Marc Slemko told Apache Week: "One of the main reasons to use the Apache HTTP server is because it is 'just a webserver'. One of the reasons it is a lot less likely to ever be vulnerable to anything like Code Red is because it is 'just a webserver' without dozens of wacky modules enabled by default that are poorly written and almost no one uses."

DaveNet on Apache

DaveNet on Apache offers a personal view on why Apache has more developer momentum than Microsoft or Sun - because it guarantees developer freedom. In his own words:

"As a platform for independent developers neither of the BigCo's half-hearted attempts to offer developers freedom is convincing. The Apache philosophy is the right one for me."

Continuing requests for /default.ida

We continue to get a large number of messages from system administrators who see requests for /default.ida in their Apache access logs. The requests look similar to this:

192.168.2.12 - - [19/Jul/2001:16:55:47 +0100] "GET /default.ida?NNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0" 400 252 -

If you are running Apache there is nothing to worry about, these requests are part of the Code Red Worm designed to search out vulnerable IIS servers running on Windows. You can quite happily ignore these requests, or get them back

Other common requests

Other common log entries you might see include:

  • Requests for robots.txt in the root directory. These requests are normally automatically made by robots which will analyse the contents of this file to see what files and directories they are not allowed to access. The format of the robots.txt file is given in the HTML 4 Specification.
  • Requests for favicon.ico in various directories (first seen in April 1999). Microsoft Internet Explorer version 5 and above can display a site-defined icon when a site's URL is displayed in a favourites list. This icon is obtained by asking the site for favicon.ico. If the URL contains slash characters (normally used to represent a directory hierarchy), MSIE 5 will request "favicon.ico" in each parent directory until it finds one or reaches the root. The format of the favicon.ico file is the Microsoft icon format. To see this 'feature' in action, bookmark this page using MSIE.
  • Requests for cmd.exe in various directories. These are usually attempts to exploit various security vulnerabilities that affect Microsoft IIS servers.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is not a new B-grade movie but how you can be a good internet citizen and let people know that their server has been infected by the Worm. One way is by using Apache::CodeRed written by Reuven M. Lerner. In this article, he explains how the module intercepts requests for /default.ida, determines the host name of the HTTP client, sends only one warning e-mail message in a 24-hour period to SecurityFocus and the administrator of that client, and keeps a list of IP addresses to be ignored.

WebmasterBase.com looks at the pros and cons of three methods of passing information to your web pages without the use of a query string so that your web site has search engine-friendly URLs. The methods are the implementation of PATH_INFO, .htaccess error pages, and the ForceType directive, and have been tested using PHP with Apache on Linux but they should also work on other platforms.

You may have set up your Apache web server perfectly but if you have not tested your web site thoroughly, it may still fail. Therefore, this basic "Step-by-Step Web testing" guide walks you through the numerous stages of testing. It starts with ensuring that the site looks as it is intended to, proceeds to testing functionality, scripts, browser compatibility in a realistic environment, proofing content, getting feedback from a selected group of users who previewed your site, checking your search engine rankings, and ends with analysing your users. After doing all those tests you may be exhausted, but hey, that's not too high a price to pay for a perfect web site.

From XML Basics, the Developer Shed has now moved on to "XSL Basics (part 1)" which explains how XSLT (Extensible Stylesheet Language Transformations) works, with sufficient examples on using it to present marked-up XML data. Hungry for more? Then you may as well read "XPath Basics" too. XPath provides a standard method of addressing parts of an XML document and is used by both XSLT and XPointer. As XML standards are still evolving, the author warns that this XPath tutorial may become invalid in the future but currently it is based on the W3C's XPath 1.0 recommendation.


Apache-related jobs

This occasional section contains short announcements of jobs that require significant Apache experience. To see more jobs or find out how to submit your vacancy visit the Apache Week Jobs section.

Tomcat Web Admin / Java Developer (Atlanta, GA)
Thompson Technologies is seeking an Apache / Tomcat Administrator with experience with Java to troubleshoot servers and rewrite code to make sure applications are working correctly. This is full time position in Atlanta, GA

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at editors@apacheweek.com