In this issue

Apache 1.1 implements a lot of new features, and some changes to existing features. This is a short summary. For more details, see the Apache Week special Guide to 1.1.

Apache 1.1 implements persistent connections using Keep-Alives. It can handle virtual hosts without using additional IP addresses. The main server can listen to specified IP addresses and/or ports, and it can listen to more than one at once.

New modules provide details of the current configuration and the server's running status. Other new modules implement a means of passing environment variables to CGI programs, permitting 'anonymous' access to authenticated areas, and the use of more secure 'digest' authentication.

Internally, Apache now implements 'handlers' as a means of identifying processing to be applied to requests, which was previously done by using special 'magic' mime-types. CGI programs can now be called for particular extensions (mime types) or for a given request method (e.g. to implement a PUT script).

An initial proxy cache module is included, but the code hasn't been as fully tested as other parts of the server, so might still be a little unstable. The imagemap module has been overhauled, providing new directives and functionality.

It is now possible to turn off resolving hostnames at run time, and to use ErrorDocument and Redirect in .htaccess files.

Apache 1.1 is mostly a drop-in replacement for older versions. However there are some small changes over 1.0.*, which are listed here.

Upgrading to 1.1 is mostly a case of download the new server (either binary or source followed by compilation) and replacing the old binary. Then the new features can be tried and used. The following is a list of changes to existing functions that might affect a site.

• <Limit>
  The <Limit> directive now applies only to methods explicitly listed. Previously it applied to all methods. Any sites relying on this unexpected effect might need to update their configurations. For example, the directive <Limit POST> used to limit GETs as well. If the intention is to limit GETs, it will need updating to <Limit GET POST>.
• AuthUserFile
  In an effort to make .htpasswd files more secure, the AuthUserFile directive should now be given a full path file. Previously a filename could be given, should was assume to reside in the current directory. Since this is below the document root, it meant that the .htpasswd file itself could be retrieved by anyone.
• XBitHack
  XBitHack behavour now only applies to files on type text/html. Previously files on any type would be parsed for includes, including binary files. This prevents this happening, but might affect unusual sites which use includes in files other than text/html.
• Imagemap
  The imagemap cgi-bin program is no longer distributed. The built-in imagemap module should be used instead.
• Scoreboard File
  The record of child processes (the scoreboard) is no longer stored in a file on most systems. On systems which implement shared memory, the scoreboard is now kept in memory, which should result in better performance. This means that the httpd_monitor program has nothing to monitor, and should not be used. Some systems cannot use shared memory, so these will continue to use a scoreboard file.

Despite the beta testing, a couple of bugs managed to crawl into the release. With software as complex as the Apache server, this should not be a big surpise, and no doubt others will be found. Expect a bug fix release in the near future.

• Redirect in .htaccess problems
  Using the Redirect directive in .htaccess files does not work properly. Using Redirect in the server configuration files works fine, so this will only affect people making use of the new ability to put Redirects into .htaccess files. Because of the bug, this should not be done.
• Cookies log format
  The user tracking module, mod_cookies, can output incorrect log lines.

In Issue 20 we reported on a possible problem with Keep-Alives. We got the problem back-to-front. It should have read

... "This seems to be due to keepalives, where the server closes the connection and the client does not notice" ...