This week a security flaw was found in the zlib library which effects
programs that use zlib to decompress data, and we've received numerous
questions asking how this affects Apache. The Apache web server
itself doesn't use zlib and therefore isn't vulnerable. The most common
third party modules that do use zlib are mod_gzip and PHP. mod_gzip
is not vulnerable as it only compresses data and does not decompress
it. PHP would only be vulnerable if you wrote a PHP script that
decompressed arbitrary data. More
information on this vulnerability is available from CERT.
A security problem was found in
'improved mod_frontpage' prior to
version 1.6.1. A missing boundary check in a setuid root binary is exploitable and
could be used by remote attackers to execute arbitrary code on a server.
mod_frontpage is a third party module not shipped by the Apache Software
Foundation, but included with some vendor distributions. Vulnerable distributions include
FreeBSD (ports collection only).
An increasing source of confusion amongst
mod_proxy users is the state of HTTP/1.1 support,
with the significant changes made to this module in the Apache 1.3.23
release, alongside the new proxy module which is part of Apache 2.0.
Of particular interest to many is the support for persistent
connections (also known as "keep-alive" connections), one of the
important parts of the HTTP/1.1 specification. This week we bring you a
summary of the differences between the proxy modules present in the
various Apache releases available:
- Apache 1.3.22 and older
- The original mod_proxy cannot use a persistent
connection to either the origin server or to the client. Each request
made by a client uses a new connection; each request made to the
origin uses a new connection.
- Apache 1.3.23 (and subsequent 1.3.x releases)
- Graham Leggett's patches to add HTTP/1.1 support were integrated
for this release: the bulk of this work was to implement the advanced
caching features required by the HTTP/1.1 specification. It also
enabled the proxy to use a persistent connection to the client: if the
client supports persistent connections, and the server configuration
does not disable persistent connections, then a single connection can
be used to handle a sequence of requests. But each request which is
proxied back to the origin server still uses a new connection.
- Apache 2.0
- The version of mod_proxy in 2.0 builds on the
version present in 1.3.23; and adds partial support for the use of a
persistent connection to the origin server as well as the client.
Specifically, for the duration of a connection to the client, a single
connection to the origin server can be used. For each new client
connection, a new back-end connection is used.
Proxy users thinking of upgrading to Apache 1.3.23 should be aware
that there is a bug (PR#9655) in the handling of responses
which set more than one cookie, and may wish to wait for the 1.3.24
release before upgrading.
In this section we highlight some of the articles on the web that are of
interest to Apache users.
Jennifer Vesperman talks about HTTP caching in
"Cache-Friendly Web Pages"
and uses Apache as an example for configuring the
Expires and Cache-Control headers.
The directives involved are the ExpiresActive,
ExpiresByType directives. It also touches on the
mod_cern_meta module that allows file-level
Here are the rest of the articles to complete the
"Improving a mod_perl Driven Site's Performance" series by Stas Bekman.
"Part IV: Sharing Memory"
explores various techniques to save RAM by sharing memory between
child processes. This continues in the
where you can shown how to save even more memory.
"Part VI: Forking and Executing Subprocesses from mod_perl"
discusses how to properly spawn new processes under
wrap up this series by examining how to fine-tune the performance of
mod_perl by tweaking the configuration of Apache.
The directives to adjust are MinSpareServers,
After all the work put in to improve the performance of your site, you
must constantly monitor your production system's memory, file system
utilisation, and load.
"Apache::VMonitor -- The Visual System and Apache Server Monitor"
goes into detail about how the Apache::VMonitor
module can help you do this.
"Apache Web-Serving With Mac OS X, Part 5"
is mainly about installing MySQL on Mac OS X by using two methods -
installing a "double-clickable" package, and building one from source.
It also provides a sample PHP script that creates a table in the MySQL
"test" database, adds some data to the table, and then displays the
contents of the table. This script can then be accessed directly from
your Mac through its built-in Apache web server.