Greg Ames has been working on a patch to speed up request
processing when a handler is configured for a specific Location.
Currently in such configurations, the directory tree mapping to
the location is still traversed after a handler has been
determined, which is unnecessary when the handler of the request
is already known to be "virtual" (rather than based in the
filesystem). The performance overhead of this unnecessary directory tree walk
can be significant; discussion of how to eliminate it in continues as the
developers try to determine how this "virtual-ness" should be
decided: whether manually by configuration option, or
automatically by logic in the module itself.
The default hard limit on the number of httpd child processes
in 2.0's prefork MPM stood at the already unreasonably high
value of 20,000 until recently in the 2.1 tree. Colm
MacCarthaigh requested an increase to 100,000 after hitting the
old limit using the newly released Linux 2.6 kernel on the
production servers at the HEAnet mirror sites in Ireland.
Colm notes that allowing this number of connections to a single
machine requires listening on more than one IP address due to
the limit on (16-bit) TCP port numbers.
A minor issue has
been found which affects the third-party Apache-SSL module. If a
server using Apache-SSL was configured with
SSLVerifyClient set to 1 or 3 (client
certificates optional) and SSLFakeBasicAuth,
then Apache-SSL versions 1.3.28+1.52 and prior would permit a client
to use real basic authentication to forge a client certificate.
The Common Vulnerabilities and Exposures project
has assigned the name
to this issue.
available from apache-ssl.org.
This issue also affected versions of mod_ssl
prior to 2.8.0 (released 30th January 2001).
Two new reports have been sent to the bugtraq mailing list claiming
to discover Apache security issues: in fact, both simply reveal
configuration errors which lead to security problems.
The first issue details a
configuration where the root directory has access control is set to
Deny from all along with AllowOverride
FileInfo; a request to a location not covered by looser access
control restrictions will hence generate a "403 Forbidden" response.
The reporter claims that because a local user can configure a custom
403 ErrorDocument response in a
.htaccess file, they can circumvent the access control
restrictions imposed on the root directory. In fact,
ErrorDocument is only permitted in the
.htaccess when AllowOverride FileInfo is
used: therein lies the configuration error.
The second report concerns the use of Apache with the Resin
application server: access control to WEB-INF directories containing JSP
source code must be protected using Directory containers
rather than Location as the latter can be bypassed by
URIs which use non-canonical filenames. This report details use of
the ".." filename suffix which is ignored in a Windows
These reports emphasise the need for server administrators to
carefully review the documentation for Apache (for instance, the Security
tips section) and also ensure that the configuration is adapted
correctly for the set of modules in use.
Over the last couple of a weeks a large number of
publications have been circulating details of a new server
survey by software company Port80. These include eWeek with
their story "Survey
Says: IIS Top Choice Among Most Popular Web Sites". Instead
of including all web servers on the Internet like surveys from
Netcraft and SecuritySpace, Port80 instead focus on a selected
subset, in this case from the top 1000 Nielsen NetRatings.
Apache comes in a close second place with just under 40% of the
market share in this survey. This is a great improvement, as a
couple of years ago a similar subset survey from BizNix found only 23%
of the Global 500 were running Apache. Meanwhile Smutcraft find a whopping
88% of porn sites are kept up by Apache. It must be due to those
patches everyone keeps mailing us about.
In this section we highlight some of the articles on the web
that are of interest to Apache users.
a transcript of the recent IRC session with Apache developer and
ASF board member Ken Coar.
Adam Pedersen squeezes every last drop of performance out of his
Apache servers in "Introducing
LAMP Tuning Techniques". He looks at common configuration tuning,
managing Apache RAM usage, and how PHP and MySQL all have an effect on
Scott Robinson attempts to unravel mod_ssl
configuration in his short article "Web
Technologies: Use mod_ssl to configure Apache keys and certificates".
This issue marks the eighth anniversary of Apache Week.
was published on 9th February 1996, although it was
only available on the Web until we started an email
subscription option with issue 6.
When issue one was published, Apache version 1.0.0 had been
out for just over a month. The current stable version was
According to Netcraft,
Apache became the most widely used server in the April 1996
survey, reported in issue 9.
Today Apache-based servers are on use on over 60% of the
world's Internet sites.
The Apache 1.2 beta cycle started in
December 1996 with 1.2b1 and continued until Apache 1.2
was released in June 1997 (issue
68). The 1.3 beta cycle started in October 1997
and continued until Apache 1.3.0 was released in June
1998 (issue 118)
Whilst 1.3.0 was highly stable on Unix systems, it
was much less developed on Windows.
In August 1998 the Netcraft Server Survey showed for the
first time that Apache was in use on more than half the
world's internet servers, and Ralf Engelschall released the
first version of the popular mod_ssl module. In
October the first official Apache conference, ApacheCon 98,
was held in San Fransisco and was a huge success drawing
nearly 500 registrations (issue 134)
Three more Apache conferences have been
held since then, with the most recent
in Santa Clara
giving attendees a unique opportunity to talk to the people
behind the software.
Towards the end of 1998, Apache was recognised by Microsoft
as a real and credible threat to their business in their
leaked memos (issue 137).
A few years later this was proven when the Garner Group
suggested all IIS users switch to something more secure, like Apache.
In July 1999 (issue 165)
the Apache Software Foundation was formed with the
aim to provide a legal framework for Apache and related
open-source projects such as the Jakarta and XML projects.
The httpd team worked on Apache 2.0 for a long
time, with initial plans reported in February 1998
In September 1999 (issue 173)
we published an Apache 2.0 preview and stated that a
beta version should be available in late 1999 or early 2000,
although it was to take until April of 2001 before the first
beta was released, and April of 2002 before general availability.
Even after the release of Apache 2.0, Apache 1.3 continued to
receive updates for security issues as well as bug fixes and minor feature additions.
Apache Week is a weekly publication, but over the last couple of years
we've missed out a number of issues. We've done this when there is
little or no news as feedback from readers has shown that this is
preferable to us sending out tiny issues with no useful content.
Apache Week will continue to bring you the latest news about
the Apache web server and its development, as it happens.