Apache Week
Issue 342, 13thFebruary2004:

Copyright 2020 Red Hat, Inc

In this issue

Under development

Greg Ames has been working on a patch to speed up request processing when a handler is configured for a specific Location. Currently in such configurations, the directory tree mapping to the location is still traversed after a handler has been determined, which is unnecessary when the handler of the request is already known to be "virtual" (rather than based in the filesystem). The performance overhead of this unnecessary directory tree walk can be significant; discussion of how to eliminate it in continues as the developers try to determine how this "virtual-ness" should be decided: whether manually by configuration option, or automatically by logic in the module itself.

The default hard limit on the number of httpd child processes in 2.0's prefork MPM stood at the already unreasonably high value of 20,000 until recently in the 2.1 tree. Colm MacCarthaigh requested an increase to 100,000 after hitting the old limit using the newly released Linux 2.6 kernel on the production servers at the HEAnet mirror sites in Ireland. Colm notes that allowing this number of connections to a single machine requires listening on more than one IP address due to the limit on (16-bit) TCP port numbers.

Security Reports

Apache-SSL optional client certificate vulnerability

A minor issue has been found which affects the third-party Apache-SSL module. If a server using Apache-SSL was configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, then Apache-SSL versions 1.3.28+1.52 and prior would permit a client to use real basic authentication to forge a client certificate. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0009 to this issue. Updates are available from apache-ssl.org.

This issue also affected versions of mod_ssl prior to 2.8.0 (released 30th January 2001).

Bugtraq reports of configuration errors

Two new reports have been sent to the bugtraq mailing list claiming to discover Apache security issues: in fact, both simply reveal configuration errors which lead to security problems.

The first issue details a configuration where the root directory has access control is set to Deny from all along with AllowOverride FileInfo; a request to a location not covered by looser access control restrictions will hence generate a "403 Forbidden" response. The reporter claims that because a local user can configure a custom 403 ErrorDocument response in a .htaccess file, they can circumvent the access control restrictions imposed on the root directory. In fact, ErrorDocument is only permitted in the .htaccess when AllowOverride FileInfo is used: therein lies the configuration error.

The second report concerns the use of Apache with the Resin application server: access control to WEB-INF directories containing JSP source code must be protected using Directory containers rather than Location as the latter can be bypassed by URIs which use non-canonical filenames. This report details use of the ".." filename suffix which is ignored in a Windows filesystem.

These reports emphasise the need for server administrators to carefully review the documentation for Apache (for instance, the Security tips section) and also ensure that the configuration is adapted correctly for the set of modules in use.

In the news

IIS heads off Apache

Over the last couple of a weeks a large number of publications have been circulating details of a new server survey by software company Port80. These include eWeek with their story "Survey Says: IIS Top Choice Among Most Popular Web Sites". Instead of including all web servers on the Internet like surveys from Netcraft and SecuritySpace, Port80 instead focus on a selected subset, in this case from the top 1000 Nielsen NetRatings. Apache comes in a close second place with just under 40% of the market share in this survey. This is a great improvement, as a couple of years ago a similar subset survey from BizNix found only 23% of the Global 500 were running Apache. Meanwhile Smutcraft find a whopping 88% of porn sites are kept up by Apache. It must be due to those patches everyone keeps mailing us about.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Newsforge provide a transcript of the recent IRC session with Apache developer and ASF board member Ken Coar.

Adam Pedersen squeezes every last drop of performance out of his Apache servers in "Introducing LAMP Tuning Techniques". He looks at common configuration tuning, managing Apache RAM usage, and how PHP and MySQL all have an effect on performance.

Scott Robinson attempts to unravel mod_ssl configuration in his short article "Web Technologies: Use mod_ssl to configure Apache keys and certificates".

Apache Week Celebrates Its Eighth Birthday

This issue marks the eighth anniversary of Apache Week. Issue one was published on 9th February 1996, although it was only available on the Web until we started an email subscription option with issue 6.

When issue one was published, Apache version 1.0.0 had been out for just over a month. The current stable version was 1.0.2. According to Netcraft, Apache became the most widely used server in the April 1996 survey, reported in issue 9. Today Apache-based servers are on use on over 60% of the world's Internet sites.

The Apache 1.2 beta cycle started in December 1996 with 1.2b1 and continued until Apache 1.2 was released in June 1997 (issue 68). The 1.3 beta cycle started in October 1997 (issue 87) and continued until Apache 1.3.0 was released in June 1998 (issue 118) Whilst 1.3.0 was highly stable on Unix systems, it was much less developed on Windows.

In August 1998 the Netcraft Server Survey showed for the first time that Apache was in use on more than half the world's internet servers, and Ralf Engelschall released the first version of the popular mod_ssl module. In October the first official Apache conference, ApacheCon 98, was held in San Fransisco and was a huge success drawing nearly 500 registrations (issue 134) Three more Apache conferences have been held since then, with the most recent in Santa Clara giving attendees a unique opportunity to talk to the people behind the software.

Towards the end of 1998, Apache was recognised by Microsoft as a real and credible threat to their business in their leaked memos (issue 137). A few years later this was proven when the Garner Group suggested all IIS users switch to something more secure, like Apache.

In July 1999 (issue 165) the Apache Software Foundation was formed with the aim to provide a legal framework for Apache and related open-source projects such as the Jakarta and XML projects.

The httpd team worked on Apache 2.0 for a long time, with initial plans reported in February 1998 (issue 102). In September 1999 (issue 173) we published an Apache 2.0 preview and stated that a beta version should be available in late 1999 or early 2000, although it was to take until April of 2001 before the first beta was released, and April of 2002 before general availability.

Even after the release of Apache 2.0, Apache 1.3 continued to receive updates for security issues as well as bug fixes and minor feature additions.

Apache Week is a weekly publication, but over the last couple of years we've missed out a number of issues. We've done this when there is little or no news as feedback from readers has shown that this is preferable to us sending out tiny issues with no useful content. Apache Week will continue to bring you the latest news about the Apache web server and its development, as it happens.

This issue brought to you by: Mark J Cox, Joe Orton