In this issue

Release: 1.1.3 (Released 14th January 1997)
Beta: 1.2b8 (Released 8th April 1997)

Bugs fixed in next release:

• Redirect currently ignores any query-string arguments
• Not all versions of Linux have shared memory which is used by the scoreboard. Now defaults to using a file (as in 1.2b6 and earlier). (See Under Development, below).
• Problem with mod_rewrite re-writing rules inside .htaccess files and <Directory> sections when using RewriteBase.
• rotatelogs (an optional logging filter, in the support directory) creates files containing the date and the number of seconds size 1970 (Unix time epoch). The number of digits in this number will increase on 8th August 2001, which will mean that an ls of the directory containing the logs will no longer be in date order. Fixed to always output 10-digit numbers, padding with a leading zero until that date.
• Attempting to do a Redirect on a file selected from a DirectoryIndex list generated a core dump.

Patches to some Apache 1.2b8 bugs are available in the 1.2b8 patches directory on the Apache site. At time of writing, there are three patches for the optional proxy modules. They fix compile problems on SunOS 4, FTP sites with spaces in filenames, and remote sites with multiple IP addresses.

For details of all previously reported bugs, see the Apache bug database.

Apache is currently in a 'beta release' cycle. This is where it is made available prior to full release for testing by anyone interested. Normally during the beta cycle no new major features will be added. The full release of Apache 1.2 is expected in April.

The number of simultaneous requests that Apache can handle is set by the MaxClients directive. This defaults to 256, but can be set lower if necessary to prevent the server being overloaded. However it cannot be set higher without recompiling Apache. This is because Apache has an internal limit, called the "Hard Server Limit". In previous releases, this could be increased by editing the definition of HARD_SERVER_LIMIT in httpd.h. From the next release this can be configured without altering the source code - by setting the compilation directive HARD_SERVER_LIMIT on the CFLAGS line in Configuration. The value set for this define will become the default of MaxClients after Apache is re-compiled.

The next release of Apache will come with a fully-coded example of the Apache module API. This sample module, called mod_example, is not compiled in by default. However if it is configured in, it shows in details the sequence of API calls during the processing of each request. It also includes sample code to set directives and other parts of typical modules.

In current versions of Apache, if a file is returned after negotiation any <Files> section that apply to that file are ignored. For example, if the .htaccess file contains

  <Files ~ "logo.gif$">
    .. directive ..
  </Files>

and a negotiated request is made for "logo" which is satisfied by "logo.txt", any settings given by "..directives.." are ignored. This is because the response is based on the directives handled for the original request (logo) and not those read for the actual file (logo.gif). This is fixed in the next release (actually it is partially fixed in 1.2b8, but some directives may still be ignored)

The normal allow and deny directives allow partial IP addresses to be specified, for example, 192.168.1 would allow or deny all machines with addresses starting 192.168.1. The corresponds to addresses with a network specified with a subnet mask of 255.255.255.0. Apache can currently only handle restrictions when the subnet mask uses a byte boundary (i.e. 255.255.255.255, 255.255.255.0, 255.255.0.0. or 255.0.0.0). If the subnet is based on any other boundary the addresses of the machines would have to be listed individually on the allow or deny line.

A contributed patch will be available shortly to allow other subnets to be used (this will not be incorporated into 1.2 at this stage). For example, if you want to restrict all the machines in the range 172.16.0.0 through 172.31.0.0 you could now use the extended address syntax

  allow from 172.16.0.0/12

The /12 part gives the number of bits in the net mask. When an address is matched against the restriction, only the first 12 bits will be used.

Apache maintains a "scoreboard" which is used by the parent process to keep track of the children. With additional status logging turned on, it is also used by mod_status to display various accumulated statistics. The early releases this scoreboard was contained in a file, as configured by ScoreBoardFile. For better performance, most operating systems support a way of sharing memory between processes, either called "sys V shared memory" or "mmap". On OSes where one or both of these is supported, Apache uses it by default (this includes Solaris, SunOS, IRIX, HP/UX, AIX, UnixWare and others) .

However some OSes support shared memory but only in certain releases or versions. If Apache defaulted to using shared memory on these systems, some people would experience problems, so Apache defaults to using the file method on these systems. This includes Linux and SVR4 machines. (Incidently, many modern Linux systems support shared memory, and it was made the default in 1.2b8 but these resulted in a number of bug reports, so it is no longer the default).

Users of systems where shared memory is available should use it, since it is much more efficient than using a file. Users of Linux can use a new rule in the Configuration file. If the LINUX_TWEAK rule is enabled then Apache will be compiled to use shared memory. Users of SVR4 and other systems with shared memory is available should edit conf.h and add the line

  #define HAVE_SHMGET

in the appropriate operating system definition area. (The other method of sharing memory, mmap, is enabled by the HAVE_MMAP define in conf.h. Do not define both for the same system).

PHP is an scripting language embedded into HTML pages. It can installed either as a CGI program or an Apache module. A recent security advisory concerns the use of the CGI PHP program. The security problem relates entirely to the way the CGI program accesses the PHP script to parse, which does not apply to the Apache module version of PHP (where the script to parse is accessed within Apache, and is subject to Apache's normal security procedures).

Anyone using PHP with Apache should use the Apache module version. Besides being more secure it is much more efficient than launching the PHP program for each request. A security update for the CGI version of PHP (which can be used with other servers) will be available shortly.

Last week's issue including an example of how to prevent people accessing .htaccess files. This was incorrect. The correct version is

  <Files ~ "\.htaccess$">
  order deny,allow
  deny from all
  </Files>