Apache Week
Issue 287, 15thMarch2002:

Copyright 2020 Red Hat, Inc

In this issue

Security Reports

zlib flaw not an issue for Apache

This week a security flaw was found in the zlib library which effects programs that use zlib to decompress data, and we've received numerous questions asking how this affects Apache. The Apache web server itself doesn't use zlib and therefore isn't vulnerable. The most common third party modules that do use zlib are mod_gzip and PHP. mod_gzip is not vulnerable as it only compresses data and does not decompress it. PHP would only be vulnerable if you wrote a PHP script that decompressed arbitrary data. More information on this vulnerability is available from CERT.

Security flaw in improved mod_frontpage

A security problem was found in 'improved mod_frontpage' prior to version 1.6.1. A missing boundary check in a setuid root binary is exploitable and could be used by remote attackers to execute arbitrary code on a server. mod_frontpage is a third party module not shipped by the Apache Software Foundation, but included with some vendor distributions. Vulnerable distributions include Mandrake and FreeBSD (ports collection only).

Under development

An increasing source of confusion amongst mod_proxy users is the state of HTTP/1.1 support, with the significant changes made to this module in the Apache 1.3.23 release, alongside the new proxy module which is part of Apache 2.0. Of particular interest to many is the support for persistent connections (also known as "keep-alive" connections), one of the important parts of the HTTP/1.1 specification. This week we bring you a summary of the differences between the proxy modules present in the various Apache releases available:

Apache 1.3.22 and older

The original mod_proxy cannot use a persistent connection to either the origin server or to the client. Each request made by a client uses a new connection; each request made to the origin uses a new connection.

Apache 1.3.23 (and subsequent 1.3.x releases)

Graham Leggett's patches to add HTTP/1.1 support were integrated for this release: the bulk of this work was to implement the advanced caching features required by the HTTP/1.1 specification. It also enabled the proxy to use a persistent connection to the client: if the client supports persistent connections, and the server configuration does not disable persistent connections, then a single connection can be used to handle a sequence of requests. But each request which is proxied back to the origin server still uses a new connection.

Apache 2.0

The version of mod_proxy in 2.0 builds on the version present in 1.3.23; and adds partial support for the use of a persistent connection to the origin server as well as the client. Specifically, for the duration of a connection to the client, a single connection to the origin server can be used. For each new client connection, a new back-end connection is used.

Proxy users thinking of upgrading to Apache 1.3.23 should be aware that there is a bug (PR#9655) in the handling of responses which set more than one cookie, and may wish to wait for the 1.3.24 release before upgrading.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Jennifer Vesperman talks about HTTP caching in "Cache-Friendly Web Pages" and uses Apache as an example for configuring the Expires and Cache-Control headers. The directives involved are the ExpiresActive, ExpiresDefault, and ExpiresByType directives. It also touches on the mod_cern_meta module that allows file-level control.

Here are the rest of the articles to complete the "Improving a mod_perl Driven Site's Performance" series by Stas Bekman. "Part IV: Sharing Memory" explores various techniques to save RAM by sharing memory between child processes. This continues in the next installment where you can shown how to save even more memory.

"Part VI: Forking and Executing Subprocesses from mod_perl" discusses how to properly spawn new processes under mod_perl. Part VII and Part VIII wrap up this series by examining how to fine-tune the performance of mod_perl by tweaking the configuration of Apache. The directives to adjust are MinSpareServers, MaxSpareServers, StartServers, MaxClients, and MaxRequestsPerChild.

After all the work put in to improve the performance of your site, you must constantly monitor your production system's memory, file system utilisation, and load. "Apache::VMonitor -- The Visual System and Apache Server Monitor" goes into detail about how the Apache::VMonitor module can help you do this.

"Apache Web-Serving With Mac OS X, Part 5" is mainly about installing MySQL on Mac OS X by using two methods - installing a "double-clickable" package, and building one from source. It also provides a sample PHP script that creates a table in the MySQL "test" database, adds some data to the table, and then displays the contents of the table. This script can then be accessed directly from your Mac through its built-in Apache web server.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan