Featured Articles 2001

Each week Apache Week brings you our pick of the best Apache related articles from around the web. In this special feature we select our favourites from each category.

• The Developer Shed kicks off the new "Getting More Out Of Apache" series with virtual hosts and Server-Side Includes.

• In part 2 of "Getting More Out Of Apache", the Developer Shed shows you how to implement basic user authentication and set up access control groups. It also talks about Apache logging capabilities and the powerful URL rewriting module.

• "Setting up Apache with mySQL, Frontpage 2000 Extensions, and PHP NHF" is a Newbieized Help File (NHF) written by Dallas Engelken for newbies to get Apache up and running with Frontpage support in no time at all.

• In "Linux for Newbies, part 22", Gene Wilburn stresses on the benefits of compiling Apache and any related modules by hand. Instructions are given for removing existing Apache and PHP from one's system before compiling them again from source. By doing this, users control how the packages are built and choose the locations for the various parts.

• If you prefer to build Apache from source manually, you may be interested to refer to Apacompile which basically is a set of instructions and examples for compiling Apache and other common modules such as mod_ssl, mod_auth_ldap and mod_php. There are still some configuration samples yet to be completed.

• For those using Mac OS, here's a straightforward step-by-step tutorial on building Apache 1.3.22 and PHP 4.0 for Mac OS X 10.1 However, the instructions don't include integrating mod_perl or mod_ssl.

• The Developer Shed presents step-by-step instructions for building Apache, MySQL, WebDAV and PHP on Mac OS X. All these programs compile and run on Mac OS X due to its BSD-based UNIX core known as Darwin. To avoid confusion, the Apache Web server built is not enhanced with mod_ssl.

• Noel Davis looks at how to overcome an Apache on Mac OS X security issue which only involves those who store files on Mac OS X's HFS+ file system. Three workarounds are available for this problem.

• Kevin Hemenway unravels the mystery of the built-in Apache web server that comes with Mac OS X in his first article of a new series about serving web pages from a Mac. You'll learn how to start up Apache, access your personal home page, locate Apache's DocumentRoot, and customise the default web page. This is just the appetiser - there are more to come in the next installment when Kevin gets down to the crux of maintaining a full-fledged web site.

• Apache on Windows NT, how does it compare to Apache on UNIX or other web servers such as IIS? Apache Today has the answer. Windows users who are interested in using Apache but are discouraged by the apparent lack of online information about this topic may like to check this out.

• "A Feather in Your NT Cap" persuades users running Microsoft's Internet Information Server (IIS) on Windows NT to migrate to Apache on NT. It lists the three limitations of Apache's ISAPI implementation, describes two main ways of installation, gives an overview of the configuration, and shows you how to start Apache as an NT service.

• At WebTechniques.com, Jim Jagielski has a few tips for those who are providing web-hosting services in "Customer Number One". He looks at two methods for Apache on how to provide every customer with dedicated server performance and quality guarantees in a shared server environment as if he or she is the only customer. The first uses mod_throttle to control various parameters, such as the number of requests or the total bandwidth used on a per server, virtual host, location, directory or user basis. The second allows CGI scripts to execute under its own user and group ID using suExec. He also discusses the pros and cons of running multiple instances of Apache simultaneously.

• "Save Your Site from Spambots" teaches you how to use mod_rewrite to redirect "spambots", software packages that crawl the Web harvesting e-mail addresses and adding them to bulk e-mail lists, to a specific page that has "special" messages just for them. Since this method uses the content of the User-Agent: HTTP header to identify the "spambots", it won't prevent "spambots" that masquerade as other browsers from scraping e-mail addresses from your web site. Other solutions are presented as well and the one recommended is "spamtraps" - special addresses that are solely used for catching spammers. The author concludes that the best way to combat unwanted bulk e-mail is to immediately report spam to the ISP from which it originates as many times as it takes until the ISP takes the necessary actions.

• The administrators at evolt.org are "Using Apache to stop bad robots". In a short article they show how they capture robots that not only ignore the robots.txt file, but deliberately try to index files they are told not to.

• Morbus Iff develops a "Search Engine Friendly SSI Image Gallery" in his article on evolt.org. The article shows how to create a dynamic image gallery, using only the features built into a core distribution of Apache.

• WebmasterBase.com looks at the pros and cons of three methods of passing information to your web pages without the use of a query string so that your web site has search engine-friendly URLs. The methods are the implementation of PATH_INFO, .htaccess error pages, and the ForceType directive, and have been tested using PHP with Apache on Linux but they should also work on other platforms.

• Information Security Magazine presents an article on improving Apache and a case study on companies that swear by (not at) Apache in its April issue. It starts off by refuting the mindset that running Apache guarantees security although it readily admits that Apache deserves its reputation for being a secure Web server. Then it provides the steps for installing Apache and mod_ssl, securing the underlying Linux server, and testing Web applications for vulnerabilities.

• Sys Admin magazine presents Apache::Motd, an Apache module based on the "Message Of The Day" utility found on UNIX systems. It intercepts user's initial request and displays the contents of the motd file before serving the requested page. Carlos Ramirez, its creator walks us through the installation and configuration process.

• Linux Gazette provides three different options to redirect a request to another virtual host running on the same webserver. If you want to distinguish yourself from the boys, the solution is to use mod_rewrite under a Virtual Host container. It also shows you how to achieve the same results using a Perl script or the Redirect directive.

• "Apache CodeRed Countermeasures with PHP: codeRedKiller!" provides a solution on how to prevent Code Red requests from reaching your Apache Web server by using PHP and bash. Basically it uses a PHP script to record the source IP address of the request and then runs a shell script to set up a filter in your firewall to block any further requests from the same source. You could use a simple shell script to parse your Apache error log to obtain the source IP address instead of using PHP. This article also advises you to ensure that the source IP address is not spoofed. The drawback is that all other valid requests from the source IP address will be stopped from reaching your web server permanently until you remove the filter.

• Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is not a new B-grade movie but how you can be a good internet citizen and let people know that their server has been infected by the Worm. One way is by using Apache::CodeRed written by Reuven M. Lerner. In this article, he explains how the module intercepts requests for /default.ida, determines the host name of the HTTP client, sends only one warning e-mail message in a 24-hour period to SecurityFocus and the administrator of that client, and keeps a list of IP addresses to be ignored.

• Interested in setting up your own Net radio stations? Start then by reading this introduction to mod_mp3, a module that optimises the Apache Web server for streaming MP3s. Although mod_mp3 is still in its infancy, it already supports file-sharing and all the basic webcasting functions, with many more ambitious features in the pipeline.

• Chris Bush explains the basics of Tomcat configuration and includes instructions for integrating Tomcat with Apache in "Linux as an Application Server - The Tomcat Way". A good read for those interested in supporting Java Servlet 2.2 and JSP 1.1 with Apache Web Server.

• "JSP Quick-Start Guide" has been updated recently for use with Apache 1.3.22, Tomcat 4.0.1, and mod_webapp which is the new Apache connector module for Tomcat 4.x. This step-by-step tutorial shows you how to set up and run a JSP-enabled server under Windows. By the end of this, you'll have a basic JSP page working smoothly.

• This week, it's Apache and Tomcat again as Robert Eksten shows us how to set up Tomcat as an Apache add-on using mod_jk instead of mod_jserv. It is relatively simple as it only installs prebuilt components and the steps do not involve compiling source code.

• In "The Apache XML Project: How To Get Read All Over", Software Development magazine walks you through a project that uses Java, Jakarta Tomcat and Cocoon to serve XML documents.

• Lawrence Teo explains how to set up a web-based archive for a mailing list in Issue 72 of Linux Gazette. He uses Apache as the web server, Hypermail to convert the e-mail messages stored in a UNIX mailbox file to a set of cross-referenced HTML files, and cron to update the web-based archive periodically. He assumes that those three components have been installed on your system so only the instructions on how to configure them are provided.

• At LinuxWorld.com, Joshua Drake gives a guide on "How to save an Apache log file in a PostgreSQL database". The article gives a step by step guide to using the pgLOGd program with Apache.

• Introduction to WML, Apache, and PHP is a good starting point for developing PHP-enhanced WML applications on the Apache Web Server. Instructions are given on configuring Apache to accept and serve WML enabled decks. By the end of this, you will have your first 'simple' wireless page.

• PHPBuilder take a look at "using Webalizer to analyze Apache logs". Webalizer is a freely available log analysis tool written in C that is designed for speed; even on a modest machine it can handle tens of thousands of log lines a second. However it can be tricky to get Webalizer installed, so this article takes you step by step through how to get it installed and running.

• "You Can Get There from Here" part 1 and part 2 show you how to install, configure, and use Squirrelmail on your PHP4 enabled Apache web server. For better security, you can run Squirrelmail on a SSL-enabled Apache web server or implement Apache's basic authentication.

• "You Can Get There from Here, Part 5" shows you how to install, configure, and use Rolodap on your PHP4 enabled Apache web server. You need to compile PHP4 with LDAP support for this. In case you hadn't guessed it from the name, Rolodap is an electronic version of the traditional desktop rotary file of cards, usually used for registering contact information.

• John Lim presents his compilation of 22 tips on "Tuning Apache and PHP for Speed on Unix" in PHP Everywhere. The tips can even be applied to Perl and Python too.

• In "Tuning Your Apache Web Server", Don MacVittie shows us how to configure the directives in the httpd.conf file to achieve maximum performance. Users have to ensure that their hardware can support the volume of connections they are aiming for, before starting with the optimisation. As there are no hard and fast rules for tweaking the settings, the best configuration is obtained by trial and error - benchmarking the server after changing the directives each time.

• Ibrahim F. Haddad explains the results he got for testing the performance of three open-source web servers: Apache, Jigsaw and Tomcat on his experimental Linux cluster platform. He performs four type of tests, each with a different server and on 1, 2, 4, 6, 8, 10, and 12 CPU systems but only presents three comparison cases: Apache 1.3.14 vs. Apache 2.08a on one CPU, Apache 1.3.14 vs. Apache 2.08a on eight CPUs and Jigsaw 2.0.1 vs. Tomcat 3.1 on one CPU in this report. His conclusion is that Apache is considerably faster and more stable than the other web servers.

• Are your Web servers up to the strain of real-world usage? "HTTP Benchmarking" describes a sample benchmarking setup and shows you how to use httperf and Autobench to stress-test your systems.

• Joe "Zonker" Brockmeier walks you through the process of setting up and running a few benchmark tests against Apache using autobench and httperf in "HTTP Benchmarking, Part 2". The tests are performed on both the Debian x86 and SPARC distributions but will apply to any UNIX-based OS running Apache.

• In "HTTP Benchmarking, Part 3: Tips and Tweaks", Joe "Zonker" Brockmeier shows you how to tweak the Apache Web server to improve performance. Although he focuses on Linux systems, some of the tips can be applied on other systems as well.

• In "Performance Tuning by Tweaking Apache Configuration", Stas Bekman demonstrates how to fine-tune the MinSpareServers, MaxSpareServers, StartServers, MaxClients, and MaxRequestsPerChild directives to maximise the usage of your system resources and to ensure good performance. He uses the ApacheBench (ab) utility to benchmark the Apache Web server with around ten different combinations of parameter settings in the tweaking process.

• Jeffrey Carl gives a few tips on handy tools to use when troubleshooting server problems in "The Web Server First Aid Kit". Its approach can be applied to most Unix and Linux systems but it occasionally refers specifically to the Apache Web Server. Some of the problems it tackles are: figuring out the cause of slow response from server, unauthorized entry, and network misconfiguration.

• eWEEK Labs' latest Web server benchmark tests show that Apache 1.3.19 running on Linux displayed a huge 2.5 factor speedup in just two years of development time.

• Sys Admin magazine describes how to build an affordable load balancing cluster using the Apache HTTP server and the Apache JServ Java application server. It also provides some interesting benchmark test results.

• Last November (Apache Week issue 224), we mentioned that APR (Apache Portable Run-time) has spinned off into a separate project. In "Aid From APR", Ryan Bloom explains about its advantages and illustrates his point by comparing a APR segment of code with the native code.

• In CNet Builder.com, it's Ryan Bloom again as he talks about how Apache 2.0 is more than a web server as it has the potential to serve any protocol. He reveals the benefits of using a single server for multiple protocols and the way to implement it using Apache 2.0.

• Ryan Bloom kicks off a new series of columns about Apache 2.0 for O'Reilly Network readers with his first column - "Installing Apache 2.0". This piece proves to be merely a rehash of his previous Apache 2.0 articles except for a mention of mod_tls.

• In "Migrating from Apache 1.3 to Apache 2.0", Ryan Bloom shares his experience of porting the apache.org web server to Apache 2.0 with O'Reilly ONLamp.com's readers. He gives some tips on which Multiprocessing Module (MPM) to use, implementing filters, and how to solve the problem of IPv6 support.

• O'Reilly ONLamp.com brings you the latest information about filters for Apache 2.0 in Ryan Bloom's column. This article is just an introduction to the subject, covering some of the basic concepts of filtered I/O which is the ability for one module to modify the output of an earlier module, listing three standard filters included in the basic Apache distribution, and explaining what filter types are. Meanwhile, "Writing Apache 2.0 Output Filters" gives enough information for a developer to be able to write an output filter from scratch. According to Ryan, developers have improved the interface over the past few releases so that the complex task of writing filters becomes easier.

• Moving on from output filters, Ryan Bloom explains about writing input filters in his latest article in the Apache 2.0 series. He highlights three differences between input and output filters, covers the ap_get_brigade function, and walks readers through an example input filter in detail. After reading this, you can start writing your own input filters.

• In Ryan Bloom's swan song for the Apache 2.0 Basics series, he talks about one of the least publicised new features in Apache 2.0 which is allowing one module to call into another module to execute an operation. In Apache 1.3, for two modules to execute the same operation, the feature has to be implemented in both of the modules, making synchronisation of changes a tedious task. He uses the mod_include and mod_cgi modules to illustrate his points.

• In "Apache 2.0: The Internals of the New, Improved A PatCHy", Ibrahim F. Haddad gives an overview of Apache 2.0 and shares with us the results of his Apache 2.0.8 performance tests. In conclusion, he highly recommends that current Apache 1.3.x users upgrade to Apache 2.0 once the release version is available. Please refer to "Apache Portable Runtime Project" and multiprocessing modules (MPMs) if you require more information about these two subjects.

• "Learning PHP: The What's and the Why's" is the first article in a new series that aspires to teach everything about PHP, beginning with the basics of PHP to advanced subjects such as databases and XML support. This introductory piece briefs us on what PHP is, its history, and the reasons for choosing it over other languages.

• Make a trip down memory lane with Rasmus Lerdorf, creator of PHP as he guides us through PHP's origin, usage, syntax, and features in "Scripting the Web with PHP". It provides a good overview on all that PHP has to offer with simple examples that illustrate the concepts clearly. The topics covered are the four different PHP tag styles, ways to install PHP, how PHP handles variables and errors, manipulates strings, connects to relational databases, generates content in formats other than HTML, and manages session. He advises that the best way to learn PHP is to use it.

• While PHP is easy to learn, it is another story when it comes to getting it right. In his three part article series, Sterling Hughes imparts some advice on how to prevent 21 common mistakes made by PHP programmers. It is worthwhile to read through the list of textbook, serious, and deadly mistakes, and give yourself a pat on the back if you have managed to avoid all of them.

• "Best Practices: PHP Coding Style" stresses the importance of having a coding standards and sheds some light on the PHP PEAR Project.

• Find out more about mod_perl in the first of a series of updated articles by Stas Bekman. "Why mod_perl?" intends to entice you to give it a try by revealing mod_perl's popularity and presenting a few well-known sites that are powered by it. Now that you're hooked, you'll be glad to know that it only takes 30 minutes to get started with mod_perl and here's how to do it.

• Take23 shows us how to use Apache::PortCorrect (a Perl module) to redirect users from a nonsecure port over to a secure SSL port based on the URL that they are trying to access. This article is for those who are more at home using mod_perl with the Apache Web Server and mod_ssl than setting up a set of mod_rewrite rules to perform the same task.

• Stas Bekman talks about improving mod_perl performance. He starts off with choosing the right operating system and hardware in part I, comparing various benchmarking tools in part II and now in part III, he continues with code profiling and memory measurement techniques.

• In "Improving mod_perl Driven Site's Performance - Part IV", Stas Bekman delves into the benefits of using shared memory, and calculates the size of a process' shared memory and the real memory used.

• Stas Bekman continues with other techniques on saving even more memory in "Improving mod_perl Driven Site's Performance"". It does pay to be frugal.

• In Apache Today, "Improving mod_perl Driven Site's Performance Part VI" is haunted by zombie and ghost. Of course Stas is referring to "orphan" processes as he explains in technical terms why it is bad to fork subprocessess from mod_perl.

• The administrator at cgisecurity.com looks at some common fingerprints used in port 80 exploits with a few examples on how each attack signature may be implemented. It covers common malicious requests, commands which may be executed by worms, files which may be requested by attackers, buffer overflows, and hex encoding. Although it is not meant to be an exhaustive list, it is sufficient to help web server administrators identify attack patterns in their logs, and to add the appropriate rules to their Intrusion Detection Systems (IDS).

• In "Freeware Security Web Tools", Gary Bahadur talks about a few freeware Linux tools that can be used to perform footprint and vulnerability analysis, the first two phases of a web server security assessment. Among the tools mentioned are Nmap, Netcat (nc), Whisker, Cgichk.pl (a Perl-based scanner), Malice (also a Perl-based scanner), and Md-webscan.

• In "Safer CGI Scripting", Charles Walker and Larry Bennett cover methods to fix various CGI scripts vulnerabilities and touch on developing a CGI security strategy. Although the examples are written in Perl and C, they can also be applied to the scripting language of your choice.

• In PHP DevCenter, Darrell Brogdon looks at security issues relating to PHP when running PHP as either an Apache module or a CGI binary, and the ways to remedy them.

• PHP, a server-side HTML-embedded scripting language, offers web developers the convenience of generating dynamic page content, and supports a wide range of databases but PHP programs are vulnerable to security compromises if they are poorly written. "On the Security of PHP, Part 1" aims to minimise this risk by offering some guidelines on secure PHP programming practices. It begins with an overview of PHP, and then examines some of the most common security issues with PHP programs.

• "On the Security of PHP, Part 2" wraps up this two-parter by showing us how to secure PHP scripts with a combination of safe programming practices and PHP settings. It talks about how to use PHP safe mode, how to avoid the risks posed by files with a .inc extension, how to filter user input, and how to prevent scripts from changing PHP configuration options.

• "Avoiding security holes when developing an application - Part 6: CGI scripts" explores a few examples of poorly written Perl scripts which are vulnerable to security compromises. Before delving into the code, it gives an overview of how a web server works and explains about server-side includes (SSIs) for Apache. Perl developers are advised to use the "warning" option, "taint mode" option, and to specify "use strict" at the beginning of their Perl scripts.

• In the wake of the Code Red worm, Joe "Zonker" Brockmeier warns Unix and Linux administrators running the Apache Web Server not to let their guard down in this tongue-in-cheek but apt piece entitled "Thinking about Security". I'm sure many of you will find his advice on how to stop your boss from embarrassing himself useful.