In this issue

After extensive testing, the Apache 2.0.32 tarball released last week was upgraded from being an alpha to a beta release. A total of one hundred and thirty changes have been recorded since the last beta release in November 2001, of which according to our calculations: 34 are bug fixes, 27 are portability fixes, and 17 are stability fixes; 10 new features are added, and 5 performance improvements (notably in mod_ssl and mod_include) have been made. The features added are:

• a ProxyTimeout directive
• FTP directory listing improvements for mod_proxy, as covered in previous issues
• a ProxyPreserveHost directive for passing the Host: header through unchanged from the client
• the worker MPM can use an unserialised accept() when a single listening port is configured
• the ProxyPass directive may be passed a "!" rather than a URL to disable the reverse proxy for a particular location
• the experimental mod_cache module can cache sub-requests
• the FileETag directive was added as covered in previous issues
• a ForceLanguagePriority directive added to mod_negotiation, to prevent possible error responses with some uses of Multiviews.
• the mod_auth_dbm and the accompanying htdbm tool now support many different database formats (depending on which database libraries are installed)
• the mod_deflate module has been added, adding experimental support for compressing content on-the-fly to browsers which accept compressed content

A discussion took place this week concerning how to determine exactly which browsers it is appropriate for mod_deflate to send compressed content to: the current module only allows text/html content to be compressed; but some people using specific clients found it useful to compress all content regardless of content-type.

SearchWebManagement.com has an archived webcast from Michael Scheidell on Migrating from IIS. The talk looks at who should consider migrating and the implications for application development, developer tools, downtime, costs, and performance. Michael talks about using Apache as one migration path, but also covers some of the commercial alternatives.

Various sites this week have been reporting on a battle between the Apache Software Foundation and Sun over Java licensing. vnu.net report "Apache on warpath over Java licence" based on comments in the official Apache JSPA position statement. Opinions can also be found on Slashdot.

The Apache XML Project have released the first stable version of their XML Security project, implementing Canonical XML and XML Signature. XMLhack reports that source distributions as well as binary distributions with Java example code are available.

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Apache: Handling Traffic" takes a high-level look at the various software and hardware solutions for providing a high-availability website. The methods discussed, from upgrading existing hardware to implementing load-balancing with fail-over mechanisms, can be applied to any Web server on any platform. It also touches on the pros and cons of replicating the content of a Web site across multiple local hard drives versus using "Network Attached Storage" (NAS).

Paul Lindner introduces Apache::TaintRequest in "Preventing Cross-site Scripting Attacks" and begins with an explanation of how this type of attack works. To solve this problem, we must always perform input validation, or ensure that input data is escaped before being displayed. He then shows us how to use this new mod_perl module to automate the tedious task of typing the same code over and over again to escape HTML data.

In "Build and run your own business Web server, part 1" Carla Schroder examines the various options in hosting a website. Part II of this series of business articles guides us through the basic steps of setting up Apache on Linux to host our own website. As the author put it, this second article is webmaster preschool so it only covers simple administration tasks.