Apache 1.3.6 Guide :

This is a guide to all the changes between Apache 1.2 and Apache 1.3.6. For each change, we say which version it was introduced in, so you can also use this feature to upgrade between 1.3.* versions.

First published 25th September 1998. Last updated 26th March 1999.

Apache 1.3.6 was released on 25^th March 1999 and is now the latest version of the Apache server. The previous release was 1.3.4 (version 1.3.5 was never made publically available). Apache 1.3.6 is available in source form for compiling on Unix or Windows, in pre-compiled form for many common versions of Unix, and in pre-compiled for as an single-file installer on Windows. All the pre-compiled forms also include full source code. All all available for download from any Apache local download site.

This is a bug fix and minor upgrade release, with a few new features. Users on Unix systems should upgrade to fix various bugs. Users on Windows systems should consider whether to upgrade, becausee htpasswd files that worked with 1.3.4 and earlier will not work with 1.3.6 unless updated.

The main new features in 1.3.6 (compared to 1.3.4) are:

• Logging can be conditional based on whether an environment variable is set or not (see the CustomLog directive).
• mod_rewrite has much faster DBM and TXT maps through the use of an internal cache.
• Passwords in htpasswd files can be encrypted with MD5 instead of DES. On windows this allows encrypted passwords for the first time, using the new bin/htpasswd.exe program.
• Access restrictions can be applied to all methods (known and unknown) apart from specific named ones, with the new <LimitExcept...> section.
• On Windows, additional Start menu items have been added and the bug where the conf files where not being created has been fixed.
• On Windows, it is now possible to tell Apache to use the registry to find how to execute CGI scripts based on the file extension, with the new ScriptInterpreterSource directive.

There are several new features in 1.3.4 compared to 1.3.3:

• A default language for documents can be set with the DefaultLanguage directive.
• Mappings from file extension to handler can be removed with RemoveHandler
• The negotiation module has been extensively updated to support the latest version of the HTTP/1.1 specification, to fix various bugs and inefficiencies, and to add some support for the transparent content negotiation RFCs.
• All the new HTTP/1.1 methods required for WEBDAV (distributed authoring) have been added, so that they can be used by third-party modules to implement the DAV specifications.
• A default order for fancy directory indexes can be set with IndexDefaultOrder.
• New options have been added to ./configure: --target sets the executable name, --permute-module sets relative module order, --with-layout sets the directory layout and --shadow has been extended to specify the shadow directory name.

There have been a number of important security fixes to Apache on Windows. The most important is that there is much better protection against people trying to access special DOS device names (such as "nul"). In addition, there is better processing of UNC paths, and Makefiles are now provided to allow Apache to be compiled on Windows 95.

Apache 1.3.3 and earlier came with three configuration files in the conf directory: httpd.conf, access.conf and srm.conf. This was for purely historic reasons: any directive can appear in any file, and the configuration files can have any filename (although the configuration file defaults to conf/httpd.conf unless overridden with the -f command line option).

Many people configure Apache using a single file, normally httpd.conf. This can be created by appending the contents of access.conf and srm.conf to httpd.conf, then removing access.conf and srm.conf. Apache 1.3.4 comes with this already done (although the access.conf and srm.conf files will exist containing a comment about why they are now empty).

There are many new features in Apache 1.3.4 when compared to Apache 1.2. The major features are:

• Support for Windows NT systems

  Apache now compiles and runs on Windows NT. It will also work, with slightly less functionality, on Windows 95. The current 1.3.4 release is not as well developed as the Unix version, and will be slower and may include some security problems (although it is much better than earlier 1.3 releases). For now it should be regarded as a "beta" quality release on Windows. See the separate section below on Apache for Windows.

• Better configuration and building process

  The Apache source files have been re-organised. Modules have been moved into sub-directories directories, making it easier to add additional modules. OS specific code has been moved into separate directories. A new command-line way of configuring and installing Apache has been added.

  The source file re-organisation has made it easier to add third-party modules. They can be dropped into a directory and, with the appropriate configuration command at build time, Apache will create the Makefile for the module and build it. Larger modules can have their own directory, and can integrate easier into the build process. If modules require additional libraries to command line arguments, they can add the required options themselves during the build process, without the user having to edit the Configuration file.

  The new way of configuring and building Apache is refered to in the source tree as "APACI". This provides a command-line method of configuring Apache rather than editing the "src/Configuration" file. This method also builds a Makefile which can be used to install Apache after it has been built. APACI consists of a new configuration program, called "configure", which should be given details of all the build options such sa destination directory, modules to be built and included, compiler to be used, and so on. This is the information previously placed into the "src/Configuration" file. "configure" will use a different directory structure during installation than the normal Apache layout, unless the --compat option if used.

• Support for dynamic modules

  Apache now supports loading of additional modules without having to recompile the source. This is refered to as "DSO" or "Dynamic Shared Objects" on Unix, and "DLL" on Windows. This means that a small Apache executable can be created, and other modules added as required. It also lets module developers release or sell modules in binary only form, ready to be loaded into a running Apache. With graceful restarts it is even possible to add or remove modules while Apache is running without any downtime. DSO and DLL functionality is provided by the new module mod_so. Modules can be built ready for dynamic loading with new directives in the src/Configuration file, or using APACI's "configure" script. Using the latter can also automatically build a correct configuration file for loading the dynamic modules. A program is also provided to build modules for dynamic loading without using the Apache source tree.

  Dynamic modules are supported on these operating systems: Windows, FreeBSD, OpenBSD, NetBSD, Linux, Solaris, SunOS, Digital UNIX, IRIX, HP/UX, UnixWare, AIX, ReliantUnix and generic SVR4 platforms

• Better performance

  There have been considerable internal changes to make Apache perform better than 1.2. Some of the more important changes are: the code which merges per-directory configurations (<Directory> sections) is more efficient, IP virtual hosts are looked-up in a hash table, less system calls are used when serving static pages, faster adaption to load spikes, less copying of data when assembling responses for sending to the client, and so on.

• Better security

  Public web servers are always open to the risk that someone will try to attack the server. Apache is carefully written to try to eliminate as far as possible the damage that this can cause. The most serious type of attack is where the attacker can gain some kind of unauthorised access to the server system. There are no known ways of doing this with recent versions of Apache. So attackers may decide to use a "denial of service" attack. This is where they know that they cannot get into the system, so instead they try to overload the server to prevent it being used by anyone else. Obviously there is little that can be done when someone decides to attempt to overload the server by sending more and more requests, because those requests are usually indistinguishable from real requests. The load on the server in this case will increase in direct relationship with the speed of the attack. However in Apache 1.2 there were some ways in which the attacker could make the load on the server increase much more rapidly than the speed of the attack. These have been eliminated in 1.3.

  To help server administrator limit the amount of resources used by attackers, there are now also a series of new directives which can be used to specify limits on the size of each request. The size of the request line, the number of request headers, the size of the request header lines, and the size of any request body can now all be limited.

  If the server administrator does not trust users on the server system (for example, if the server is a multi-user system for customers to provide web documents), there were additional potential denial of service attacks available in 1.2. These included putting extra long lines in .htaccess files or creating .htaccess files that were actually special devices. These have been eliminated in 1.3.2.

• Enhanced virtual host configurations

  Virtual host handling has been updated. For IP based virtual hosts, finding the virtual host for a given request is faster because the configurations are stored in a hash table. For name-based virtual hosts, the configuration has been made less ambiguous. It is now necessary to explicitly state which IP:port combination will be used for name-based requests, and requests coming in on this IP:port will only get served by virtual hosts defined for that IP:port. See Apache name-based virtual hosts.

  The order that virtual hosts are used in the configuration file has been reversed from Apache 1.2. Now the virtual hosts listed first in the configuration file have priority over those listed later.

  To help debug virtual host configurations, the new command line option -S displays how Apache has parsed the virtual host information in the configuration files.

The features above are the major changes between 1.2 and 1.3.4. This section lists most of the remaining changes, sorted into some broad categories. As well as new features, 1.3.4 has a lot of bug fixes compared with 1.2.X.

• Configuration parsing:
  • Multiple whitespace characters within quoted strings in configuration files are no longer compressed to a single space (1.3.2)
  • Better error checking in configurations: reports missing closing section directives, reports if directive which are not valid within <VirtualHost> sections are used in a <VirtualHost> section, reports invalid multiple arguments to <Files>, <Directory>, etc (1.3.0)
  • <DirectoryMatch> sections are applied after all <Directory> sections have been applied (1.3.0)
  • Include directive added to read additional configuration files (1.3.0). Extend to allow Include directive in .htaccess and <Directory> sections (1.3.2)

• Command line options:
  • Add a -t command line option for testing the syntax of the configuration files (does not check .htaccess files) (1.3.1)
  • Add ability to process configuration directives given on the command line. The option -c "directive" gives a directive to process before reading the configuration files, and -C "directive" gives a directive to process after reading the configuration files (1.3.0)
  • New command line option -V displays the options used when compiling Apache (1.3.0)
  • New command line option -S displays the virtual host configuration (1.3.0)
  • The -S option now does not attempt to start the server: it will exit after showing the virtual host configuration (1.3.4)
  • The -h, -l and -L options have changed meaning in 1.3.4. Previous -? gave a list of options, -l gave a list of directives and -h gave a list of modules compiled into the server. In 1.3.4, -h gives a list of options, -l gives a list of modules and -L gives a list of directives (1.3.4)

• Child processes, CGI and SSI:
  • Does not pass invalid environment variable names to child (CGI) processes. Any invalid character in a variable name is replaced with an underscore (1.3.0)
  • REMOTE_HOST environment variables is not set if IP cannot be resolved to a hostname (1.3.0)
  • Add SERVER_SIGNATURE environment variable containing the sigature as controlled by ServerSignature directive (1.3.3)
  • Add VARIANTS environment variable from the spelling module containing list of possible matching URLs (1.3.3)

• Logging and error messages:
  • The default text of a 404 error message changed from "File Not Found" to "Not Found" (1.3.0)
  • In log formats, %a logs the client IP address and %h now logs only the hostname (never an IP address). If no hostname is available for a given IP address, %h logs "-" (1.3.0)
  • In log formats, %v and %p log the server name and port from the configuration files, not the request (1.3.4)
  • In log formats, %V logs the hostname of the request, subject to the setting of UseCanonicalName. This is the same behaviour as %v in 1.3.3 and earlier (1.3.6)
  • Does not log an error about "handler not found" if a handler was found, but declined to serve the request (1.3.1)
  • The Apache parent process will log the reason why a child process dies, if it dies from an unexpected signal (1.3.0)
  • Logs client IP addresses in error_log messages (this was in 1.2, but not in 1.3.0 or 1.3.1. It is restored in 1.3.2)
  • Fix problem where mod_usertrack could corrupt the client hostname in the log files (1.3.1)
  • The reason for "500 Server Error" responses is passed to error documents in the ERROR_NOTES environment variable (1.3.2)
  • Logging can be conditional depending on whethe an environment variable is set or not (1.3.6).

• Proxy:
  • More accurate error responses can be returned from the proxy (1.3.6)
  • The proxy module now handles invalid responses from IIS (1.3.2)
  • Proxy module now prompts for FTP username and password, if required, to avoid storing that information in URLs and the access_log (1.3.2)
  • The proxy module now accepted reject requests with URL syntax http://host:/path (1.3.4)

• Performance:
  • More efficient <Directory> and <DirectoryMatch> section matching (1.3.0)
  • More efficient virtual host matching. Address * behaves like _default_ (1.3.0)
  • More efficient use of network: combines smaller network writes (1.3.0)
  • Faster response to load spikes, by first spawning one new child, then the next second two, then four and so on up to 32 children per second, until there are enough idle servers (1.3.0)
  • Efficient unbuffered CGI. As soon as the CGI stops sending output, it will be sent to the client. This replaces the old scheme where output was buffered up to a fixed size, or until the CGI process exited. This also replaces the old "nph-" prefix for getting unbuffered CGI output (which was not compatible with HTTP/1.1 or SSL layers anyway) (1.3.0)

• Security fixes:
  • Directives to limit size of requests, to avoid denial of service attacks based on sending extra big requests. Eliminate unnecessary processing when handing requests (1.3.2)
  • Avoid denial of service attacks if a configuration file (such as a .htaccess file) is a device file, by refusing to open device files apart from /dev/null which is still valid (1.3.0)
  • Correctly handle over-long lines in configuration files (1.3.0)
  • Fix denial of service attack by sending requests with lots of slashes in them (1.3.0)
  • Deny access to directories if a .htaccess file in that directory cannot be read (1.3.0)

• Better name-based virtual host support, using new directive NameVirtualHost. This gives the port:IP of interfaces which are used for name-based virtual hosts. Requests on this port can only match <VirtualHost> sections defined on that port:IP combination. Also reverse order of matching of <VirtualHost> sections so earlier sections override later ones(1.3.0)
• Detach from stdin, stdout and stderr after reading configuration files, so Apache can be started via rsh, etc (1.3.0)
• Directory indexes now dynamically size the width of the filename column (1.3.2). Columns can be sorted (1.3.0)
• Do not kill connections in progress when a TERM (shutdown) signal is received (1.3.0)
• Experimental support for passing symbols required by the Apache core through dynamic modules onto libraries loaded by those modules (Rule SHARED_CHAIN). (1.3.2)
• Expires headers will now be returned for content which is served from sources other than files, if configured with mod_expires (1.3.2)
• Header files can be included into C++ code (1.3.0)
• mod_negotiation has been overhauled to bring it up to the latest HTTP/1.1 revision 6 specification and to support some of the transparent content negotiation drafts (1.3.4)
• mod_negotiation also works around a bug in Lynx where it sends a header saying it understands transparent content negotiation, but it does not (1.3.6)
• mod_rewrite now correctly sets the HTTP/1.1 Vary: response header if decisions are made based on request headers (1.3.2)
• mod_rewrite has much faster DBM and TXT maps through the use of cacheing. (1.3.6)
• mod_status is now included by default. The new directive ExtendedStatus can be used to turn this module on (1.3.2)
• New script apachectl to start, stop, restart and check the status of Apache (1.3.0)
• SIGPIPE is no longer reserved for use by the Apache core while sending a response (1.3.6)
• Support for DES and MD5 encrypted passwords (1.3.6)
• Support has been added for the HTTP methods defined in the distributed authoring drafts (WEBDAV) (1.3.4)
• Support has been added for the new Expect: response header, as introduced in HTTP/1.1 revision 5 (1.3.4)
• The configuration directives are now all given in httpd.conf, and the default access.conf and srm.conf are empty (1.3.4)
• The PID file is removed when Apache exits (1.3.2)
• The meta information module (mod_cern_meta) can be configured on a per-directory basis (1.3.0)
• The status page now shows the "generation" of each child process (1.3.6)
• Try to avoid problems with eight-bit characters in URLs and configuration files (1.3.1)
• Use the supplied regex library on all systems, unless explicitly told otherwise (1.3.0)
• Various year 2000 compliance changes (these are minor changes, in things like log messages) (1.3.0)

The following modules have been added to this version of Apache. Of these, only mod_setenvif is compiled in by default. The other modules here are optional, and to use them you need to uncomment the appropriate line in Configuration and re-compile Apache.

• Dynamic loading of modules (mod_so)
  The mod_dld module from previous releases has been removed and replace with a much improved replacement, mod_so. This module supports dynamic loading of modules on most Unix systems and on Windows. This module was added in 1.3.0.
• Conditionally set environment variables ( mod_setenvif)
  The mod_setenvif module can be used to set environment variables based on headers on the incoming request or other aspects of the request (for example, the client hostname). The replaces the mod_browser module which set environment variables based on the User-Agent request header. This module was added in 1.3.0.
• Fix typos in URLs (mod_speling)
  This module can be used to correct simple typing errors is requested URLs, based on looking at real directory and file names. This modules was added in 1.3.0.
• Generic unique ID for every request ( mod_unique_id)
  This module generates a unique identifier for every hit. It was added in 1.3.0.
• Automatically work out MIME type ( mod_mime_magic)
  This module can be used to return a MIME type based on the contents of the file being served. This is similar to the Unix "file" command. Added to 1.3.0.
• Directory indexing module ( mod_autoindex)
  This new module contains the directory indexing functionality previously provided by mod_dir. See the section on mod_dir below.
• API Example (mod_example)
  This module provides example code for module developers.

• mod_dld replaced by mod_so
  See section above about mod_so.
• mod_browser replaced by mod_setenvif See section above about mod_setenvif.
• mod_dir split into two modules (mod_dir and mod_autoindex)
  The mod_dir module has been split into two modules. Both are included by default in an Apache build. The new mod_autoindex module supports creating directory indexes. The updated mod_dir now just supports the basic functionality of trailing-slash redirects and DirectoryIndex files. This means that if directory indexes are not required, the large mod_autoindex module does not need to be compiled into Apache. (Updated in 1.3.0)
• mod_auth_msql removed
  This module is no longer supplied with Apache, because there are a lot of possible databases and it is not possible to include all database modules into the Apache distribution. (Removed in 1.3.0).

This section contains summaries of changes for more unusual systems or systems not widely used by the main Apache developers. Sometimes these ports are not maintained after their initial inclusion in the Apache source tree. Changes to support the major platforms used by Apache developers (such as FreeBSD, Linux, IRIX and Solaris) are not listed here.

• Changed the name of the "OS/2" port from "__EMX__" to "OS2" (1.3.2)
• New port and binaries available for Windows NT (1.3.0)
• New port to Acorn RISCiX (1.3.0)
• New port to BeOS (1.3.0)
• New port to Cyberguard V2 port (1.3.4)
• New port to DRS 6000 (1.3.3)
• New port to Encore UMAX V (1.3.0)
• New port to HP UX 11 (1.3.0)
• New port to Linux with glibc (e.g. RedHat 5) (1.3.0)
• New port to NCR MP/RSA 3.0 (1.3.0)
• New port to PowerMAX OS (1.3.4)
• New port to Rhapsody (Mac OS X) (1.3.2)
• New port to SCO SV (1.3.0)
• New port to SONY NEWS-OS (1.3.0)
• New port to Sequent (1.3.0)
• New port to Siemens Nixdorf BS2000-OSD (1.3.0)
• New port to UnixWare 7 (1.3.1)
• New port toNEC EWS4800 (1.3.2)
• Recongnise UnixWare 7.0.1 (1.3.3)
• Updated support for ARM Linux (1.3.1)
• Updated support for LynxOS (1.3.0)
• Updated support for MPE (1.3.0)
• Updated support for NCR SVR4 (1.3.1)
• Updated support for NEXTSTEP (1.3.1)
• Updated support for QNX 32 bit systems (1.3.1)

Apache 1.3.0 was the first full release of Apache to support Windows systems. Some of the most important changes since the last 1.3 beta release are listed here.

• Add support for encrypted passwords (encrypted with the MD5 algorithm). Added bin/htpasswd to create and modify MD5 passwords (1.3.6)
• Errors from running Apache with -i or -u command line arguments are now displayed on the console rather than sent to the error log (1.3.6)
• Compile time default for the error log filename is error.log rather than error_log (1.3.6)
• New directive ScriptInterpreterSource which configures Apache to find a CGI file interpreter via the registry rather than via the #! line in the CGI file itself (1.3.6)
• The Apache executable now contains an icon (1.3.6)
• The binary installer now creates additional Start menu options for shuttind down a running console application and to uninstall the NT Apache service (1.3.6)
• Remove limit of 64 threads per process (1.3.2)
• Remove trailing "."s in path components, which are ignored by windows when accessing files so could be used to bypass security settings (1.3.1)
• Eliminate directory components consisting of three or more dots (e.g. "...") which can cause security problems (1.3.1)
• Make IndexIgnore case insensitive because the Windows filesystem is (usually) case insensitive.
• Set current working directory for CGI scripts (1.3.0)
• Pass environment variables to CGI scripts (1.3.0)
• Add ability to gracefully shutdown or restart Apache on Windows 95, without pressing Control-C in the Apache console window (1.3.3)
• Allow CGI child processes to die properly if the client aborts the connection (1.3.3)
• Handle paths like D:/ correctly (1.3.3)
• Handle drive letters sub-requests properly (1.3.3)
• A running console version of Apache can be restarted or shutdown with the -k command line option (1.3.3)
• Makefiles have been added to allow Apache to be build on Windows 95 (1.3.4)
• Various problems with UNC paths have been fixed (1.3.4)
• Possible security and denial of service attacks by use of special DOS devices have been removed (1.3.4)

This section lists the directives which are new in this release, or which have changed their behaviour or syntax. Note that directives provided by the new modules are not listed (see the documentation for the module concerned for its directives).

When upgrading from an earlier version of Apache, check this list to see if any of the directives in your configuration have changed.

• <DirectoryMatch>, <LocationMatch> and <FilesMatch> can be used to match sections using regular expressions. These are equivalent to the <Directory ~ ...> syntax (1.3.0)
• <IfDefine name >...</IfDefine> sections which are only used if Apache is started with a corresponding -Dname command line options (1.3.1)
• <LimitExcept method method ...> is the inverse of <Limit>. This contents of LimitExcept only apply if the request method is not listed as an argument. (1.3.6)
• AddModuleInfo provides additional text in mod_info output (1.3.0)
• AliasMatch, ScriptAliasMatch and RedirectMatch provide the ability to use regular expressions (1.3.0)
• AllowCONNECT to allow CONNECT requests on arbitrary ports (for proxying HTTPS requests) (1.3.2)
• CoreDumpDirectory gives the directory to use to dump core files, after receiving signals which cause core dumps (1.3.0)
• DefaultLanguage sets a default language to files without a language specified by an extension (1.3.4)
• ExcessRequestsPerChild Used on Windows systems only
• ExpiresActive to turn the expires module on or off (1.3.0)
• ExtendedStatus to turn on or off collected status information for display by mod_status. Off by default. Replaces the previous compile-time rule "Rule=STATUS" (1.3.2)
• Include specifies arbitrary configuration files to be read when this directory is processed (1.3.0)
• IndexDefaultOrder sets a default sorting order for fancy directory indexes (1.3.4)
• LimitRequestBody limits the size of the request message body (1.3.2)
• LimitRequestFields sets a maximum number of requests headers that Apache will accept (1.3.2)
• LimitRequestFieldsize sets a maximum size of any single request header (1.3.2)
• LimitRequestLine set a maximum request-line length that Apache will accept (1.3.2)
• ListenBacklog can set the size of the TCP backlog (the argument to listen()) (1.3.0)
• LogLevel sets the detail that will be logged to the error_log file. Possible values are "emerg", "alert", "crit", "error", "warn", "notice", "info" and "default". The default is error. (1.3.0)
• NameVirtualHost added to support better configuration of name-based virtual hosts (1.3.0)
• NoProxy in mod_proxy prevents proxying certain addresses (1.3.0)
• ProxyDomain in mod_proxy adds a domain to unqualified requests (1.3.0)
• ProxyPassReverse in mod_proxy lets Apache work as a "revere proxy", i.e. a front-end to multiple servers (1.3.0)
• ReceiveBufferSize in mod_proxy to control size of the receive buffer (like SendBufferSize) (1.3.0)
• RemoveHandler in mod_mime removes a mapping between a file extension and a handler name (1.3.4)
• ScriptInterpreterSource (valid on Windows only) can be used to tell Apache to file CGI interpreters via the registry. If set to "script" it uses the initial #! line from the CGI file, like previous versions. If set to "registry" it uses the registry to map the file extension to the interpreter. The default is "script". (1.3.6)
• ServerSignature can be used to turn on a "signature" in various automatically generated responses such as error messages. The possible values are "off" which is the default, "on" which uses a signature of the server version and hostname, and "email" which adds the mail address from the ServerAdmin directive (1.3.0)
• ServerTokens allows the Server: response header to be configured. Possible values are "min" which returns just the Apache version number, "OS" which also returns the operating system type, and "full" which returns the identifiers from any modules which request to be added. The default is "full". (1.3.0)
• ThreadsPerChild Used on Windows systems only
• UseCanonicalName is used to determine how Apache creates URLs pointing back to itself. The default value is "on" which means that Apache will use values from the configuration (i.e. ServerName and Port settings). If set to "on", Apache will use the information supplied by the client. (1.3.0). The use of this directive is now controlled by the Options override, rather than AuthConfig (1.3.4)

• <Directory> and <Location> sections defined in a virtual host override corresponding sections defined in the main server, rather than the other way around (1.3.0)
• <Directory> wildcards (* and ?) now do not match the forward slash character, to be compatible with shell expansions (1.3.0)
• <Directory>, <Files> and <Location> can now use [...] style wildcards (1.3.0)
• <Limit> now matches request methods on a case-insensitive basis, as required by the HTTP/1.1 specification (1.3.1)
• AccessFileName can take more than one filename argument (1.3.0)
• AuthName argument must be enclosed in double-quotes if it contains whitespace (1.3.0)
• CheckSpelling is now valid in per-directory locations (.htaccess files and <Directory> sections) (1.3.2)
• CustomLog can now take an additional argument env=[!]env-var which makes the logging conditional on the named environment variable being set (or, if ! is used before the env-var, unset) (1.3.6)
• CustomLog formats can contain or to represent a tab or newline character in the log file (1.3.6)
• FancyIndexing now no longer unsets any options already set by IndexOptions (from 1.3.2)
• HostnameLookups defaults to off (1.3.0)
• HostnameLookups has a new possible argument, double, which ensures that Apache only uses a remote hostname if it passes a double-reverse lookup. This replaces the MAXIMUM_DNS compile time option (1.3.0)
• IndexOptions has new arguments: NameWidth specifies the width of the filename column in directory indexes (1.3.2). SuppressColumnSorting turns off the links for sorting the output (1.3.0). SuppressHTMLPreamble prevents Apache outputting the start of the HTML response (1.3.0). IconHeight and IconWidth set the size of the icons (1.3.0). Options can now be added or removed with leading + or - (like Options) (1.3.3)
• LocationMatch no longer matches a single slash against multiple slashes in the request URL (1.3.0)
• RefererIgnore is now case-insensitive (1.3.0)
• RewriteMap now has two additional map types: "rnd" for randomreplacements, and "int" to use an internal function to make a replacement (1.3.0)
• SetenvIf and SetenvIfNoCase can now match an empty field with ^$ (1.3.1)
• TransferLog: if no log file is defined, Apache will not log requests. Previous versions would always log to the default filename (access_log) (1.3.0)
• Userdir can disable specific users, or can selective enable particular users (1.3.0)
• allow and deny can accept network/netmask and cidr formats. If hostnames are used a double-reverse lookup is always used (1.3.0)
• allow can be used to allow access based on environment varibales, with allow from env=variable. This is useful with the new mod_setenvif directives. The old allow user-agents syntax is no longer valid. (1.3.0)
• require can now accept TAB characters between arguments (1.3.3)

The conf directory contains examples of the four configuration files needed: httpd.conf, srm.conf, access.conf and mime.types. Each of these files has been updated slightly. In 1.3.4 all these files have been merged into the single conf/httpd.conf file.

• httpd.conf
  HostnameLookups is set to "off" to reflect the new default. LogLevel set to warn. LogFormatCustomLog is used instead of TransferLog. ServerSignature is set to "on".
• srm.conf
  A <Files .htaccess> section prevents access to .htaccess files.
• access.conf
  Apache now defaults to a much more restrictive set of permissions, by specifying AllowOverride none and Options FollowSymLinks in a <Directory /> section. This means that .htaccess files will not be processed unless turned on by another <Directory> section, and all options (except following symbolic links) are turned off. This is a much more secure initial configuration.
• mime.types
  New types for javascript, mpeg 3, VRML, CSS and XML documents. All currently known MIME types (as registered with the IANA) have been added (1.3.4)

New in the support directory are a web benchmark program (ab.c), a script to control the starting and stopping of the Apache server (apachectl), a perl script to compile modules for dynamic loading without using the source tree (apxs.pl), a perl script to resolve IP addresses in log files (logresolve.pl), a script to split logfiles based on virtual hosts (split-logfile), and manual pages for all these programs (1.3.0). The benchmark program has been overhauled and can now output HTML pages (1.3.6).

apxs can now pass arbitrary arguments on to the compiler or linker, with -Wc and -Wl respectively (1.3.4).

The httpd_monitor program has been removed since status information about Apache can be obtained via mod_status's output. (1.3.0).

The manual pages for ab and apachectl have been moved to section 8. (1.3.6).

• The new option --permute-module allows the relative order of modules to be specified (1.3.4)
• The default directory layout for make install is now the same as the layout that src/Configure uses. The new --with-layout option can be used to specify a different layout, for example --with-layout=GNU would use the previous default layout for ./configure (1.3.4)
• The new option --target=name can be used to give the binary a different name than the default "httpd" (1.3.4)
• The --shadow option has been extended to take an argument which is the name of the shadow directory to create (1.3.4)

Because of the various changes between 1.3.3 and 1.3.4, when upgrading you should beware of the following things:

• If you use ./configure to configure and compile Apache, be careful to ensure that you get the directory layout you want. If you previously used --compat, you can omit it. If you previously did not use --compat you must give --with-layout=GNU
• If you have can scripts which run Apache and use any of the arguments -?, -h, -l or -L, then they must be updated to use the new arguments (-h, -l, -L and -R, respectively)
• If you use the -S command line option to show the virtual host configuration and start the server running, you will have to do this is in two steps since -S will now exit without starting the server
• If you use UseCanonicalName inside .htaccess files, you must ensure that the Options override is in force rather than the AuthConfig override.
• If you used multiviews for content negotiation and relied on the fact that Apache read the variants from the disk in the directory order (rather than, say, alphabetically) you should check that the negotiation still works as expected (Apache now sorts the variants into order before using them, so that negotiation is not dependent on the usually arbitrary directory order of the files). This should not normally be a problem.

The first three items are described in more detail below.

If you configure Apache with ./configure you will have to change the options you use to set the directory layout. If you do not currently use an option to set the directory layout you will have to use an option in 1.3.4 because the default layout has changed.

There are two layouts for directories: the first is the "Apache" layout. This was used in all versions of Apache before 1.3, and in Apache 1.3 it is still used if you use src/Configure to configure and build Apache. The second layout was introduced by ./configure, and is called the "GNU" layout because it is similar to the standard layout used by GNU tools. This created two layouts within Apache 1.3.*: the Apache layout if src/Configure was used, and the GNU layout if ./configure was used (although ./configure could also be told to use the Apache layout with the --compat option).

Unfortunately this created a lot of confusion, and in particular many people thought that the GNU layout was the preferred directory layout for 1.3, because it was the default in ./configure. It is not: the preferred layout is the "Apache" layout, consistent with src/Configure and Apache 1.2.

In Apache 1.3.4, the Apache layout becomes the default layout for ./configure. If you have been using the --compat option, then you do not need it anymore. However if you did not use the --compat option (that is, you used the GNU directory layout) then you must now use --with-layout=GNU.

This table summarises the meaning of the directory layout arguments in each version:

Layout option	Meaning in 1.3.3	Meaning in 1.3.4
None	GNU layout	Apache layout
--compat	Apache layout	Apache layout (but not needed since this is the default)
--with-layout=GNU	Not valid	GNU layout
--with-layout=Apache	Not valid	Apache layout (but not needed since this is the default)

Various command line arguments have changed in meaning. This affects the -h, -l and -L options. This table shows the meanings of these arguments in both versions of Apache.

Option	Meaning in 1.3.3	Meaning in 1.3.4
-?	List command line options	List command line options (but use -h instead)
-h	List modules	List command line options
-l	List all directives	List modules
-L	Specify location of the core loadable module if built with SHARED_CORE	List all directives
-R	Not used	Specify location of the core loadable module if built with SHARED_CORE

So if you were using -?, change to using -h. Similarly, change from -h to -l, from -l to -L and from -L to -R.

Also, the -S option now exits after showing the virtual host configuration, rather than continuing and starting the server.

When upgrading from a 1.2 server to 1.3, the following changes will also be required:

• Virtual hosts are matched by looking from the first one downward in the configuration file, rather than from the last one. So you should consider reversing the order of your virtual host sections. Use the new -S option to check your virtual hosts configuration.
• If you use name-based virtual hosts read carefully the Apache documentation about them. This has changed considerably. If you server both name-based and IP-based hosts from the same IP:port combination you will need to change your configuration. In all cases you will need to add NameVirtualHost directives for each IP:port on which name-based requests can be received. Again, use the -S option to check your virtual hosts configuration.
• Check your AuthName directives (remember to check in .htaccess files as well) for multi-word arguments. If you have any, put quotes around the argument.

These bugs in 1.3.3 have been fixed in 1.3.4:

Windows-specific Bugs

• In some circumstances the configuration files in the conf directory are not installed. This can occur if the computer needs to be rebooted because a system DLL file was updated. For now a work-around is to re-install Apache again after the reboot, since the DLL will not need to be installed again. PR#3988.
• Requests for filenames containing non-ASCII characters such as accented characters gives a "Forbidden" error. PR#3890.
• If the ErrorLog directive is removed from the httpd.conf file, Apache will use the built-in default filename for the error log file. This should match the name given on the ErrorLog directive in the distributed httpd.conf file, which was error.log. However it would actually revert to the "Unix" name of error_log. From the next release it will default to error.log.

Other Bugs

• The default method of locking between processes on Linux has been changed from flock and fcntl, because of possible instability with flock in some kernel versions. PR#3531.
• In Apache 1.3.4, lines in the error log were being preceeded by "httpd: ". This will be removed in the next version to avoid breaking any automatic error log analysis programs.
• If a CGI returns a Set-Cookie header it was sometimes being duplicated in the response to the client. PR#3872.
• If the mod_info module was compiled as a DSO and the relevant lines uncommented in iin the distributed httpd.conf file, Apache would not start because the mod_info directive appeared before the line which loaded mod_info into the server. PR#3936.
• Fix potential buffer overrun problem. PR#3917.
• Added support for the standard file layout on Mac OS X (Rhapsody).
• apachectl gives an error if the PID file does not exist.
• The macro escape_uri was renamed to ap_escape_uri but no backward compatibility was provided from the old name. PR#3725.
• Using the mod_speling module where there were lots of possible matching files caused Apache to use more memory than a linear relationship to the amount of data being handled.
• It is recommended to use a single configuration file (typically conf/httpd.conf) but mod_info will log a warning message if it cannot read conf/access.conf or conf/srm.conf. PR#3656.
• With some browsers, Apache may not send a full response even though the file was updated on disk. This affects browsers which use HTTP/1.1 "etags" to ask servers for later versions of a file. Browsers known to do this are MSIE 4.1 and 5.0beta (older browsers used the modification time of the file). The problem is that Apache did not correctly compare the "etag" in the request with the "etag" of the file on disk (which will be different if the file has been updated). PR#3657.
• When using ./configure with the --with-layout=GNU the directory layout may be different from the default layout in Apache 1.3.3. This only occurs if the "prefix" includes a directory component named "apache", and results in directories containing unnecessary "httpd" components. This was an effect of a new feature in Apache 1.3.4 which allowed for the executable name of Apache to be changed from "apache". PR#3666.
• Compiler options starting with + cannot be used in EXTRA_CFLAGS in src/configuration. Most compilers use - for compiler options, but HP-UX's C compiler also uses +. PR#3681.
• The INSTALL file shows examples of commands to start and stop the server using apachectl. However it assumes that this script is in the sbin directory, but the default is now bin. PR#3727.