ApacheCon 2001 Conference Report :

ApacheCon 2001 was held in Santa Clara, California from April 4th to April 6th. As promised, Apache Week was there to cover the conference.

The first day didn't get off to a good start as there were no signs in the hotel explaining where the conference registration was, [photo: "registration", 77K jpeg] so we ended up eating a breakfast provided for a different conference in the hotel. This turned out to be a good plan, as the ApacheCon breakfast wasn't nearly as good. Registration was quick and painless but even though conference proceedings were available on a CDROM, the registration bag contained hard copies of all the papers, running to three thick volumes well over 600 pages. Unlike the last ApacheCon there were no free goodies in the bag; last time we got a t-shirt and a pen, this time we just got marketing leaflets from companies sponsoring the event.

The schedule showed that ApacheCon had packed over 24 classes into the first day, running from 9am through to after 9pm. First up was the opening plenary presented by Ken Coar, and over 180 people packed the theatre [photo: "ken coar", 59K jpeg], [photo: "packed theatre", 169K jpeg] Ken gave a welcoming speech, details of changes to the schedule, and where to find lunch. Just under 200 proposals for sessions were received for this conference from which just 89 were picked. Sadly attendees we talked to afterwards said the session came across as unplanned and unprofessional for a conference of this type. This would have been a good opportunity to introduce the Apache Software Foundation or give a brief overview of the major events since the last conference.

We made use of the wireless Internet access available throughout the conference area to catch up on some work before attending the "birds of a feather" (BOF) session on clustered Apache services [photo: "BOF audience", 63K jpeg]. The group behind the Spread toolkit explained how to create reliable distributed clustering systems and showed examples of how Spread can be used within Apache. Apache-SSL has code that makes use of Spread to facilitate a shared session key server, although the toolkit can be used for much more complex tasks such as database replication.

Next, Harrie Hazewinkel gave a short but interesting talk on quality of service measurement, using SNMP to monitor and manage Apache. Harrie is the author of the Apache SNMP module, mod_snmp.

After the provided lunch, Jon "maddog" Hall from Linux International enlightened us with an entertaining and animated keynote speech [photo: "maddog", 64K jpeg]. He touched on trademark issues where people take advantage of the Linux name to create, for example "Linux University". These issues are of particular interest to Apache, and the ASF take care to protect the Apache name.

With the recent downturn in the technical sector he explained his business plan which involves combining microcomputing and microbrewing. "When the computer industry is at a low, beer drinking is at a high." he said. By combining both industries into a single course you can make sure you always have a job.

The keynote touched on issues to do with classification of machines, the accuracy of his predictions applied to the Internet, and look at Star Trek technology including communication badges, personal log computers, and female Borg.

Next we had intended to visit the talk on WebDAV and Apache with Greg Stein, but the small presentation room was overflowing with people, so much so that the talk was repeated later in the week for those that could not fit in the first time. Instead we went to see Giacomo Pati and his talk on Cocoon.

When we started developing Apache Week back in 1995 we looked at content-independent ways to store the issues. We actually wrote our own format, in a style similar to the Ventura publisher markup language. If we were to start again we'd definitely be using XML, in fact we already use XML for parts of Apache Week as well as the "In the news" section of the main apache.org site. We were interested in finding out more information about some of the XML publishing systems available, and this is the goal of the Apache Cocoon project.

Doug Tidwell spent some time explaining Cocoon 2.0 and focussed on serving up XML documents. The basic idea is that you write a XML representation of the resource you wish to serve together with an XSL stylesheet that shows how the XML is to be translated. The XSLT process is normally left to the server and is usually cached as the translation may take a significant time. In the future, browsers will be able to do this transformation themselves with the server just providing the XML and XSL files directly. Some browsers attempt to do this now, but support is still limited. Cocoon is able to pick which XSL stylesheet to use to render a page based on things such as the user-agent field.

Once you have an XML representation of your data you are not limited to just providing a translation to HTML, and we were shown tools that could convert the XML into other presentation types such as JPG and even the creation of dynamic PDF.

For the remainder of the day we decided to attend the talks on security. The first, "PKI with OpenSSL", aimed to show the applications for which OpenSSL can be used. OpenSSL is an open-source toolkit that implements SSL as well as many other cryptography and public key protocols. Before September last year the RSA patent prohibited the use of OpenSSL inside the USA.

Rodney Thayer explained that OpenSSL can do much more than act as the SSL layer for a secure web server as he went through the various standards as well as commands for general cryptography, certificate processing, and key storage. OpenSSL is now used in a large number of applications and is a product-grade general purpose cryptography tool.

The last class of the first day was a highly entertaining and animated talk by Ralf S. Engelschall, author of mod_ssl, mod_rewrite, and much more. The talk, "Security Solutions with SSL", covered the evolution of mod_ssl, described its features, and gave useful configuration examples. Each of the beautifully presented slides included an amusing quote to lighten up the atmosphere of this heavy subject.

The future of mod_ssl was discussed including the work currently going on to port it to Apache 2.0, add LDAP CRL handling, and a distributed session cache. mod_ssl will not need EAPI hooks for Apache 2.0, but other EAPI functions may be useful. It is not certain how this effort will fit into the work being done in Apache 2.0 on mod_tls and if we will end up with two SSL solutions like we have with Apache 1.3.

When asked about support for Win32 Ralf replied "if you really think that you can run a secure web server on Windows you've not understood security".

The second conference day was almost as packed as the first, with 25 talks and additional BOF sessions spanning from 9am until after 8pm. After the free breakfast doughnuts I decided to attend the BOF sessions on using Apache for serving multiple protocols. One of the aims for Apache 2.0 is that the HTTP engine is abstracted, and in particular APR is designed to be a portable layer that can sit beneath all sorts of applications.

The BOF gave a list of the protocols that have been examined so far including HTTP, FTP, POP, IMAP, IDENTD, and SNMP. It then looked at why you'd want to use Apache to do this when good applications for each of these protocols already exist. The main advantage is that you get a common infrastructure for all your applications so you can use one standard configuration format, one standard way of doing authentication and so on. You can also make use of the extensive tools such as the Rewrite module and SSL across all protocols.

The biggest requirement for the project is that the performance for serving HTTP requests should not be affected if you don't use Apache to serve any other protocols.

Once discussion moved to POP and IMAP support I was reminded of Jamie Zawinski's law of software envelopment: "Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can."

Each time a secure web server receives a connection from a new client it has to establish a new SSL session. This negotiation requires the server to perform a private key operation, usually with a 1024 bit RSA key. This operation is mathematically complex and is therefore time consuming. Hardware accelerators are designed to offload the most complex parts of this operation allowing more new connections to be established every second. Existing hardware units handle anywhere between 75 and 300 of these operations per second using a number of internal processors, and can cost up to US$15,000.

The OpenSSL project has recently been incorporating support for various hardware cryptographic accelerator cards. Until recently these accelerators were only supported by commercial secure servers. A number of these hardware vendors were invited along to a special BOF to discuss OpenSSL support and their units.

Representatives of nCipher, Rainbow, and GIGI attended and gave short talks about the capabilities of their hardware and how it was supported. nCipher stressed that the ability to keep your servers private keys on an external device, and scalability was more important than performance. Rainbow said that they concentrated on acceleration, having the fastest boards available.

Dr Lee Nackman of IBM gave a keynote entitled "Open Source and the Corporation". He said that IBM had an "open source zeal" and had developed internal processes that made working with open source projects less painful. Of course IBM wants to see a return from their investment, and in the case of their substantial contributions to Apache-XML they saw that it would open up new business models for IBM. They see themselves supporting the customer demand for Linux and being able to exploit the emerging technologies.

Looking to the future, he predicted an increase in web services and service-orientated web applications such as stock quotes, news, and increased integration with business processes.

Soon it was lunchtime, and at this conference the ApacheCon planners had decided not to schedule sessions overlapping with lunch. Instead lunch coincided with the opening of the exhibition hall [photo: "lunch queue", 80K jpeg] The turn out of exhibitors was disappointing, under half the number at the last ApacheCon, and a distinct lack of giveaways. I failed to find which company was giving away inflatable camels (or in fact why they were doing so) [photo: "apacheweek sign", 61K jpeg], [photo: "exhibitors hall", 98K jpeg], [photo: "exhibitors hall", 97K jpeg].

I skipped most of the afternoon sessions in order to finish off the Apache Week guide to the history of Apache 2.0 and catch up with some sleep.

Friday marked the last day of the conference, but the schedule was still packed with exciting talks and keynotes. For the first talk of the day we visited Mark Wilcox who was presenting "Apache and LDAP". The talk outlined the role that LDAP can play with Apache, looking at what directory services are, and how to make use of LDAP with Apache and Perl.

Mark explained that the aim of a directory service is to provide quick access to hierarchical information in a way that can be distributed and replicated. These services can be useful to Apache for authentication, authorisation, and perhaps even configuration. The HTTP protocol is stateless so user authentication needs to happen on every request. Rather than have every page request do a new database lookup, LDAP services are usually combined with some other system, such as cookies.

The Perl::LDAP module provides an easy way to interface to directory services from within Apache.

Jon Tigue gave an interesting presentation on extending directory indexes provided by mod_autoindex. By cleaning up the HTML produced by the module with a simple patch, the output from the module can be sent through an XML parser. When used in conjunction with clients that can parse XML this allows things such as the column sorting in the FancyIndexing without any server interaction.

After lunch a panel discussion took place about Apache on Windows. Ryan Bloom, William Rowe, Jeff Trawick, and Rich Bowen formed the panel but were greeted by only 20 attendees [photo: "win32 round", 77K jpeg].

The discussion formed around APR and how the implementation of this layer makes Apache 2.0 think that Windows is just another Unix. Even though Apache for Windows is designed to run best on NT (and hence Windows 2000), a substantial proportion of the audience wanted to keep support for Windows 95 and 98 for testing purposes.

The closing session hosted by Ken Coar saw only a fraction of the attendance of the opening plenary, but it was getting late on a Friday evening. With a panel of ASF members on stage [photo: "some ASF members", 52K jpeg], it was time for comments about the conference. The overall feedback was positive. Some complaints were there was poor Internet access, this was true if you relied on the computers provided but I found the wireless coverage to be excellent. One suggestion was that there should be less sessions in the evenings, leaving them free for more social interaction or BOF sessions. Another suggestion was to have talks that explained (probably in an unbiased way) the commercial products available that interfaced with or were based on Apache.

Overall I was very impressed with the conference. A lot of the problems from previous ApacheCon conferences had been addressed and the quality of the presenters was high. It was a shame that more exhibitors had not taken part as it seemed that a number of corners had been cut to save money. The only negative impressions were fairly minor; the food choices were limited (on Friday all the meal choices involved cheese making it difficult for Vegans to find things to eat), the conference was a long way from any other facilities (having a car was essential), and there were no fancy parties.

Wireless internet access was available throughout the conference rooms and I found it difficult sometimes to stay focussed on the speaker, missing parts of presentations whilst catching up on email without realising it.

With so many interesting talks I couldn't attend all of them and this report gives only a snapshot of the ones I thought would be interesting to me. ApacheCon has a variety of talks aimed at all technical levels, so you should definitely consider attending if you've not been to one before. With that, I end my report and hope to see you all at the next ApacheCon later this year!