Apache Week
Issue 317, 20thDecember2002:

Copyright 2020 Red Hat, Inc

In this issue

Under development

An article published by eWeek earlier this year covered an incompatibility between the implementations of the digest authentication specification (RFC 2617) in Microsoft Internet Explorer and Apache, although no specific details were revealed in the article. More light was shed on the issue this week as it was discovered that when requests sent by Internet Explorer to a location protected by mod_auth_digest where the URL includes a query string (such as /cgi-bin/script.pl?id=foobar), authorisation will always fail. This appears to be because Internet Explorer sends an incorrect WWW-Authorization header for such URLs; no workaround is known, though several techniques were suggested to avoid using query strings in protected locations; using POST for forms, or using PATH_INFO to avoid explicit query strings.

In other news, Ryan Bloom's patch to add TLS upgrade support (as covered in issue 312) was committed to the Apache 2.1 CVS tree. The stable 2.0 tree was tagged on the 7th of this month to prepare for a 2.0.44 release; there has been little movement on a release since then.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

We start this week with a little bit of a Mac OS theme. David Wheeler builds on his earlier articles about the default Apache install on Mac OS X with an article: "Build Your Own Apache Server with mod_perl and mod_ssl". This article gives Mac OS X users everything they need to know about how to compile Apache with custom modules.

In "Getting Fit for the Holidays", Daniel Steinberg looks at interacting with Java programs remotely by taking advantage of the Apache Web Server that ships with Mac OS X. He takes a look at the newly released Fit framework and introduces some of the possibilities available for using CGI on a Mac.

Long-time Apache developer Randy Terbush is interviewed for "Companies need to plug in to open-source" and cites many examples of Apache Software Foundation projects.

"Eventually, it will be considered acceptable for a company to use the source code as it comes from the Apache Software Foundation to deploy an application, Web server or SOAP Web services stack. Or to use Linux as it comes from some other pre-distribution. Or to have their own variant of Unix or Apache in-house with their own modifications."

O'Reilly look at "Configuring Tomcat with IIS Web Server" by using the JK Connectors. This article follows on from "Configuring Tomcat and Apache With JK 1.2" and it is interesting to compare the two solutions.

ZDNet warn that you need to "Avoid security complacency", and cite an example where one of their own systems that was not kept up to date became compromised.

"Unfortunately one of our staff was on holidays... We missed a patch to the Apache Server SSL by a couple of days and during this time the Worm exploited a flaw in the SSL security"
However, fixes for the OpenSSL vulnerability mentioned were publically available for over 45 days before the worm started infecting systems (much more than the "couple of days" quoted). Administrators should have had plenty of time to learn about the threat to their systems and respond to it by patching or upgrading the packages. The paper "Apache Security Secrets: Revealed" presented at Apache Con 2002 by Apache Week's editor, Mark Cox, examines this specific issue in more detail.

Book Reviews

This month we were sent three out of the eight books in the Craig Hunt Linux Library series published by Sybex Inc. The first book is the second edition of "Linux Apache Web Server Administration" by Charles Aulds, followed by the second edition of "Linux System Administration" by Vicki Stanfield, and Roderick W. Smith. Both books were published in September 2002 and reviewed by Craig Hunt. The third book is "Linux Network Servers" written by Craig Hunt himself published in August 2002.

"Linux Apache Web Server Administration" is written for well-versed Linux administrators who use Apache as their web servers in a small to medium-sized company. It provides a good coverage of the topics needed to arm an administrator with sufficient knowledge to get the Apache web server up and running, and also administer and maintain it.

Although this second edition has been updated to include Apache 2.0, it is not the definitive guide to Apache 2.0 since it does not focus on the new features of Apache 2.0 or the differences between Apache 1.3 and 2.0. This book is therefore not for experienced Apache web server administrators who are seeking guidance in migrating from Apache 1.3 to version 2.0. However, it is well suited to experienced Linux system administrators who are new to Apache as it is easy to understand, starts from the basics, and walks you through step-by-step instructions to ensure that you are well equipped to set up and maintain your very first Apache web server.

Read our full review

Apache Week giveaway

For a chance to get your hands a copy of a set of books "Linux Apache Web Server Administration", "Linux System Administration", and "Linux Network Servers", just match the punchline to this festive joke:

How do a group of penguins make a decision ?
A) With a motor-pike and side-carp
B) At the whale-weigh station
C) Flipper coin

Send your answer to freebook@apacheweek.com to reach us no later than January 5th 2002. Your email address will not be used for anything other than to let you know if you won. One winner will be drawn at random from all correct entries submitted. One entry per person, no cash alternative, editors' decision is final, bah Humbug!

Holiday break

Apache Week will be back on the 10th January 2003. February 2003 will mark the start of our eighth year on the web; that's seven years of being the most comprehensive publication for users of the Apache Web server. You don't want to miss it!

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan