An article published by eWeek earlier this year covered an incompatibility
between the implementations of the digest authentication specification
(RFC 2617) in Microsoft Internet Explorer and Apache, although
no specific details were revealed in the article. More light was shed on
the issue this week as it was discovered that when requests sent by
Internet Explorer to a location protected by
mod_auth_digest where the URL includes a query string
(such as /cgi-bin/script.pl?id=foobar), authorisation
will always fail. This appears to be because Internet Explorer sends
an incorrect WWW-Authorization header for such URLs; no
workaround is known, though several techniques were suggested to avoid
using query strings in protected locations; using POST
for forms, or using PATH_INFO to avoid explicit query
In other news, Ryan Bloom's patch to add TLS upgrade support (as
covered in issue 312) was
committed to the Apache 2.1 CVS tree. The stable 2.0 tree was tagged
on the 7th of this month to prepare for a 2.0.44 release; there has
been little movement on a release since then.
In this section we highlight some of the articles on the web that are of
interest to Apache users.
We start this week with a little bit of a Mac OS theme. David Wheeler
builds on his earlier articles about the default Apache install on Mac OS X
with an article:
Your Own Apache Server with mod_perl and mod_ssl". This article gives
Mac OS X users everything they need to know about how to compile Apache
with custom modules.
Fit for the Holidays", Daniel Steinberg looks at interacting with
Java programs remotely by taking advantage of the Apache Web Server
that ships with Mac OS X. He takes a look at the newly released Fit
framework and introduces some of the possibilities available for using
CGI on a Mac.
Long-time Apache developer Randy Terbush
is interviewed for "Companies need to plug in to open-source"
and cites many examples of Apache Software Foundation projects.
"Eventually, it will be considered acceptable for a company to use the
source code as it comes from the Apache Software Foundation to deploy
an application, Web server or SOAP Web services stack. Or to use Linux
as it comes from some other pre-distribution. Or to have their own
variant of Unix or Apache in-house with their own modifications."
O'Reilly look at "Configuring
Tomcat with IIS Web Server" by using the JK Connectors. This article
follows on from "Configuring Tomcat and Apache With JK 1.2" and it is interesting
to compare the two solutions.
ZDNet warn that you need to
"Avoid security complacency", and cite an example where one
of their own systems that was not kept up to date became compromised.
"Unfortunately one of our staff was on holidays... We missed a patch
to the Apache Server SSL by a couple of days and during this time the
Worm exploited a flaw in the SSL security"
However, fixes for the OpenSSL vulnerability mentioned were publically
available for over 45 days before the worm started infecting systems
(much more than the "couple of days" quoted). Administrators should
have had plenty of time to learn about the threat to their systems and
respond to it by patching or upgrading the packages. The paper "Apache Security Secrets:
Revealed" presented at Apache Con 2002 by Apache Week's editor,
Mark Cox, examines this specific issue in more
This month we were sent three out of the eight books in the Craig Hunt
Linux Library series published by Sybex Inc. The first book
is the second edition of "Linux Apache Web Server
Administration" by Charles Aulds, followed by the second
edition of "Linux System Administration" by Vicki Stanfield,
and Roderick W. Smith. Both books were published in September
2002 and reviewed by Craig Hunt. The third book is
"Linux Network Servers" written by Craig Hunt himself
published in August 2002.
"Linux Apache Web Server Administration" is written for
well-versed Linux administrators who use Apache as their web
servers in a small to medium-sized company. It provides a
good coverage of the topics needed to arm an administrator
with sufficient knowledge to get the Apache web server up and
running, and also administer and maintain it.
Although this second edition has been updated to include
Apache 2.0, it is not the definitive guide to Apache 2.0
since it does not focus on the new features of Apache 2.0 or
the differences between Apache 1.3 and 2.0. This book is therefore
not for experienced Apache web server administrators who are
seeking guidance in migrating from Apache 1.3 to version 2.0.
However, it is well suited to experienced Linux system
administrators who are new to Apache as it is easy
to understand, starts from the basics, and walks you through
step-by-step instructions to ensure that you are well equipped
to set up and maintain your very first Apache web server.
Read our full review
For a chance to get your hands a copy of a set of books
"Linux Apache Web Server Administration",
"Linux System Administration", and
"Linux Network Servers", just match the punchline to this
How do a group of penguins make a decision ?
A) With a motor-pike and side-carp
B) At the whale-weigh station
C) Flipper coin
Send your answer to firstname.lastname@example.org
to reach us no later than January 5th 2002.
Your email address will not be used for
anything other than to let you know if you won. One winner
will be drawn at random from all correct entries submitted.
One entry per person, no cash alternative, editors' decision
is final, bah Humbug!
Apache Week will be back on the 10th January 2003. February 2003 will mark
the start of our eighth year on the web; that's seven
years of being the most comprehensive
publication for users of the Apache Web server. You don't want to miss it!