Apache Week
   
   Issue 38, 25th October 1996:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache Status

Release: 1.1.1
Beta: None

Bugs reported in 1.1.1:
  • Function names in md5.c conflict with those in libdce.a, and possibly other libraries which use md5 functions
Bugs fixed in next release:
  • The last line in .htaccess and config files was being ignored if it did not include a trailing newline
  • A request for a CGI program which contained a PATH_INFO segment that was also a symbolic link, and where that symbolic link would be denied because the SymLinksIfOwnerMatch option was on, caused the script to fail and returned a 500 error.

The following items are under development and may be included in the next release of Apache. See our Apache 1.2 Sneak Preview for other new features in the next release.

HP-UX To Use Shared Memory

The 'scoreboard' containing details of what child processes are running is stored in special memory accessible by all the child processes and the parent process. Depending on the system this memory is obtained as either a memory-map (mmap), or as shared memory (shmem). The choice is made automatically based on the OS in use. In previous Apache releases, HP-UX systems used the 'mmap' memory by default. However there are problems with mmap on some versions of this OS, so a configuration directive NO_MMAP was added, which if set told Apache to not use mmap, but to use a scoreboard file instead. Now it seems all HP-UX system have 'shmem', so that is now the default for HP-UX, and there is no NO_MMAP option.

Virtual Host on Status Page

The status page will be updated to show the virtual host of the resource being processed by each child, if appropriate.

Request and Response Timeouts

The timeout code in Apache tries to ensure that if the remote client goes away and doesn't tell the server (e.g. if there is a network break or other serious problem), then Apache doesn't spend forever waiting for more data. The timeout period can be set with the TimeOut directive. By default, it is set to 1200 seconds (20 minutes). In terms of sending a file, this timeout is the maximum time Apache will wait between successful writes of data - not the total time to send the data.

This timeout is also applied when reading the initial request. However, typically requests will be much shorter than responses, so Apache could be waiting unnecessarily long for a request which never arrives. A possible solution would be to implement way of setting the timeout for reading a request to a different value from the timeout for sending the response. Sites which do not expect requests to take very long could set the request timeout to a lower value (say 60 seconds). Those sites which accept large requests (file uploads) could set this timeout much larger.


TCP Denial of Service Attacks

One way of attacking systems on the Internet is to try to prevent the target system from operating correctly by overloading it. This is called a 'denial of service' attack. One method of doing this is to open multiple connections to a server and never close them. The more connection the server has open at once, the more resources are tied up holding details of those connection, which can lead to increased load and eventually to the server running out of resources.

There are two main ways of doing this sort of attack: the first is to simply open the connection and not send any data. In this case Apache's timeout mechanism will automatically drop the connection after the timeout period. The second way is to appear to open or close a connection, but the to fiddle with the TCP transmissions to prevent the client from acknowledging the open or close. The remote host will hold the resources used for the connection until this acknowledgment is received. This is done within the operating system's implementation of TCP.

This sort of attack is not specific to Apache, nor to http servers, but is generic to any TCP-based server which listens for incoming connections (which included most host services). Attacks based on incompletely opening a connection is the subject of a CERT advisory.


Language Negotiation

In the HTTP/1.1 specification, each resource can be associated with one or more languages. Typically, most documents are not identified as being in a particular language, however sites with multilingual content can mark what language a document is in. This is done in Apache using the AddLanguage directive and using file extensions. For example, the following AddLanguage commands define file extensions to signify French, German and English:

  AddLanguage en en
  AddLanguage de de
  AddLanguage fr fr

(the first argument is the official language tag for the language, and the second argument is the file extension to use - in these examples, the file extension is the same as the language tag, although this is not necessarily the case).

To mark a document as being in a particular language, the language extension (from the AddLanguage directive) should be added to the file name. For example, to mark the file welcome.html as being intended for readers of English, rename it to welcome.html.en. Similarly, documents could be created called welcome.html.de and welcome.html.fr.

Normally, some form of content negotiation would be used to let the server automatically choose the best language in response to a query. The user would not know that there are multiple languages available, since the request URL would omit the language extension (it would consist of just http://server/welcome.html). This is implemented using either the MultiViews option, or a variants (var) file. This is explained in the Apache Week feature on content negotiation.

In Apache 1.2, language negotiation will probably be extended. Most importantly, each resource on the server can be identified with more than one language. For example, a document intended for both English and German readers could be stored in the file

  welcome.html.en.de

(In Apache 1.1.1, documents can only contain a single language).

If no document is acceptable to the browser (perhaps because it indicated it could only accept a language for which there is no document on the server), Apache will return a new "406" error status (this could also result for other types of content negotiation, such as negotiation based on media type, character set and encoding). A 406 response indicates that the document does exist but not in an acceptable form based on the browser's preferences. It will then list all the forms it is available as, in an HTML document with links. The user can then decide which (if any) of the forms they would like to see.


Comments or criticisms? Please email us at editors@apacheweek.com