1.0.5 is the current stable public release. The next release
will be 1.1, which is currently in beta test at version 4
(1.1b4). This might be the last beta release.
A new beta of 1.1 was released, version 1.1b4. It has a
number of changes over 1.1b3:
API access to the request structure r->bytes_sent
Previously broken multi-method <Limit> parsing fixed.
Some more possibly unsecure programs removed from the
More mod_auth_msql authentication improvements.
VirtualHosts based on Host: headers no longer conflict with
the Listen directive.
OS/2 compatibility enhancements.
POST now allowed to directory index CGI scripts.
Actions now work with files of the default type.
Bugs which were fixed: more mod_proxy bugs, early
termination of inetd requests, compile warnings on several
systems, problems when scripts stop reading output early
Several new bugs have been noticed and fixed in preparation
for a 1.1 release.
Attempts to limit access for PUTs, but to allow
unrestricted GETs would use a .htaccess (or
<Directory>) restriction like this:
However, this also affects GET requests. This is fixed in
the latest beta version.
On a similar aspect, there is a long-standing Apache bug
(or at least difference from NCSA), when a .htaccess file
like this is used:
deny from all
allow from .my.domain
This .htaccess is designed to restrict access based on
browser address, and not require any user authentication.
It is used in the NCSA tutorial on access restriction.
The problem is that Apache will ask for user
authentication, which fails because none has been setup.
Apache does this because of the Auth* directives, which
are unneccessary. The fix is to remove the Auth* lines.
Possible Keepalive Problem
There has been some reports of Netscape appearing to 'hang'
on connections to Apache. This seems to be due to
keepalives, where the client closes the connection and the
server does not notice. This seems to affect both Micrsoft
Internet Explorer and Netscape on Windows 95, and might be
a windows 95 problem.
Location in .htaccess
The 1.1 beta releases include a new directive,
<Location>, which behaves like <Directory> but
which can apply to URLs other than directories, such as
URLs which do not map onto files, or to individual files.
In fact, it is a good way of applying restrictions to
individual files. However, the <Location> directive
is only valid in the central configuration file (normally
access.conf), but it would be useful if files could be
restricted from .htaccess files as well. This might be
incorporated into a future version.
Whenever Apache handles a request, it processes .htaccess
files which determine access authorisation, and can set other
options (e.g. AddType). It checks and processes .htaccess
files in the same directory as the file it is serving, and
also in all the parent directories. For instance, if you
request the URL /docs/about.html and your document
root is /usr/local/etc/httpd/htdocs, Apache tries to
process .htaccess files in all these directories:
Normally, there will be no .htaccess files above the document
root, but Apache still needs to check the filesystem to make
sure. This can be eliminated by using the trick that if the
AllowOverride option is set to None, Apache doesn't bother
checking for .htaccess files. So set AllowOverride to None
for directory /, and turn AllowOverride back on for whatever
settings are really needed for the directory
/usr/local/etc/httpd/htdocs. For example, the following code
in access.conf would speed up Apache:
The second directory section turns on AllowOverrides, so that
.htaccess files are processed again. The 'All' can be
replaced with whatever level of configurability is wanted.