In this issue

Release: 1.2 (Released 5th June 1997) (local download sites)
Beta: None

Bugs in 1.2:

• If an Apache module or a script called from an embedded module (e.g. mod_perl or mod_php) changes the current locale, the log file can log month names in the new locale, confusing log analysers.
• <Location> sections inside <VirtualHost> do not override <Location> sections in the main server. This is different to almost all other directives, and means that virtual hosts cannot override <Location> sections defined in the main server. Because of partial matching of the URL, a section like <Location /> in the main server will override all <Location> sections in the virtual host.
• The scoreboard display from mod_status shows the parent pid in slots where the child is dead. This can be confusing, and has been replaced with dash for dead child pid.

Patches to Apache 1.2 bugs will be made available in the 1.2 patches directory on the Apache site. This directory also includes some minor new features which did not make it into the 1.2 release. For details of all previously reported bugs, see the Apache bug database and Known Bugs page. Many common configuration questions are answered in the Apache FAQ.

An update to 1.2 will be released shortly. This is 1.2.1, which fixes a few relatively minor bugs in 1.2. There are also some security fixes which are important if you do not trust all your local content providers. Note that these security issues cannot be exploited remotely - they are only relevant if you do not trust all the people who can create content on your server.

The main bugs fixed in 1.2.1. are:

• Some security fixes to ensure that Apache only serves up the contents of directories, files or symlinks and not (for example) pipes or named sockets. This could be used by untrustworthy local users to implement a form of CGI even if CGI permissions are disabled. Other security fixes prevent directory indexes from including files outside the current directory (with HeaderName and ReadmeName) or from using symlinks in directory indexes or type-map files if disabled by the configuration.
• Prevent Apache running as user root for security reasons.
• Work around problems with third-party libraries which cannot use high-numbers file descriptors.
• Work around problem in Solaris 2 which cannot use streams with file descriptors about 256.
• Better logging of Unix system errors
• Fix content-negotiation to use smallest of equally acceptable variants, or if all else equal, to use the first listed variant
• Various portability fixes or updates from AIX 4.2, Unixware 2.1.2, NonStop-UX, ConvesOS 11.5, Ultrix with DEC compiler, Maxion/OS SVR4.2 Real Time Unix, AIX 3, SCO with gcc.

The next release of Apache should be 1.3, with support for Windows 95 and Windows NT as well as some new features. If more bugs are found in 1.2.1 there may also be a version 1.2.2 at some point

The July Netcraft Server Survey shows that over 512,000 sites on the Internet now use Apache. That is 43% of all sites surveyed. The next most widely used server, Microsoft's IIS, is used at 186,000 sites, or 17% of the total.

Although the number of sites running Apache, Microsoft and Netscape servers increased in absolute numbers, only Microsoft increased in percentage share (by 0.24%). Apache went down by 1.21%. However many sites are running Apache with slightly different server labels (since the source code is available, sites can change the server label which means it will not be identified by the survey as Apache). There are probably lots of sites using Apache under a different name.

For example, there are servers based on Apache with server labels such as "-Apache", "Apache-SSL-US", "Apache-SSL", "InfoWest-Custom-Apache", "Apache-NeoWebScript". There are also Apache servers with labels which do not mention Apache, such as "RapidSite" which is a customised version of Apache. In fact, RapidSite runs on 27,860 sites which accounts for 2.3% of the whole survey. When added to the overall totals for Apache it gives Apache a market share of 44.93%. So the figures for Apache use and percentage as given in the survey should be taken as absolute minimums, and the real number of sites using Apache or Apache-based servers will be higher.

Unless otherwise noted, all the new features discussed here are planned for Apache 1.3 and not Apache 1.2.1.

Apache is normally started as root, and each child process then runs as a different user specified by the User directive. However it is currently possible to specify root as the argument to User. This is potentially very insecure, since any flaw in the server or CGIs run from the server could give outsiders unlimited access to the server machine. Since it is a bad idea to specify User root, Apache 1.2.1 and 1.3 will both refuse to run as User root (Apache can still be started by root).

This restriction can be overridden with an explicit compile-time option on EXTRA_CFLAGS in the Configuration file.

When Apache runs it creates multiple children who all wait for a new incoming request. On some systems the children go straight into a system accept() call, and the OS decides which one to use for each request. However many systems do not work properly like this, so Apache implements its own locking to ensure that only one child is doing an accept() at any given time. This works by creating an empty "lock file" and the child in the accept() call locks this file, while the other children wait for the lock to be removed. In all previous releases of Apache, the lock file is located in /var/tmp or /usr/tmp (depending on the operating system).

In new releases the lock file will be created by default in the logs directory under the server root (the same place as the default PID file and logs) and will be called accept.lock.pid. The location and filename can be changed with the new LockFile directive. (This is part of Apache 1.2.1).

When a new TCP connection arrives for the server the operating system adds it to a "listen queue". Normally the size of this queue does not need altering. However there may be some situations when it is desirable to alter it - for example, if your server is being targetted by a TCP SYN denial of service flood. The new directive is called ListenBacklog and defaults to 511 if not given (although some OSes will reduce this to a smaller value). See your system's manual page description of the second argument to listen() for more details.

At each phase of handling a request, Apache tries to call a corresponding function in all modules. Many modules do not install handlers for most stages, so much of the time the Apache code is just checking if a callback function is NULL. A proposed speed-up is to analyse all the callback functions and build lists of only the non-NULL callback functions for each module API phase. This results in faster execution of the callbacks since Apache does not have to iterate over the NULL entries in the module definitions. Since the code which checks for callbacks is called very often (once for every callback in each request) a speed-up here can have a real effect on overall performance.

The way that Apache handles <Directory> sections can also be optimized. At the moment it checks every <Directory> section against all components of the path of the request resource. An optimisation is to only match directories against <Directory> sections with the same number of path components.

When spawning children with spawn_child_err() a module can determine how the child should be killed when the request is over. If a child is to be killed it is sent a TERM signal, then three seconds later a KILL. Some child processes may take longer than three seconds to exit, so a new option has been added to prevent the sending of the KILL.

Module functions can now return the status DONE as well as OK, DECLINED or HTTP error status. DONE indicates that the module function has finished all processing for this request (i.e. send back a response) so no more output is needed.

A new defined constant is available, APACHE_RELEASE_DATE which gives the date that Apache was released. Modules can use this at compile time to determine what functionality exists in Apache for this particular version.

The core Apache code can now use sfio replacement for stdio. The normal standalone_main() can also be replaced.

The Configuration option EXTRA_LFLAGS has been renamed EXTRA_LDFLAGS in 1.3. This is because "LFLAGS" can have a special meaning to Unix makefiles (it gives options for the lex command), but was being used for options to the linker. The proper name for options to the linker in LDFLAGS.

In early betas of 1.2 there were problems with large numbers of connections going into a FIN_WAIT_2 state. If the operating system did not time out these connects it would eventually fill the network buffers and cause the machine to crash. The Apache code was extensively modified to minimise the number of FIN_WAIT_2 states. However it is still possible for connections to go into this state due to the action of the client or the network. This is more likely to happen when keepalives are being used, so for operating systems without a FIN_WAIT_2 timeout (such as SunOS 4) it is recommended that keepalives are turned off with KeepAlive off.

All documents returned from a web server have to have a "Content Type" (often also called a "mime" type). This is normally obtained from the file extension, using "mime.types" file or the AddType directive to map the extension onto a proper mime type. If there is no valid extension that Apache knows about, it will use the default type as specified by DefaultType.

On some sites it might not be possible to give files the correct extension. In this case the default type will be used. But in many cases the correct content type could be guessed at by looking inside the file. A new module, mod_mime_magic does this. It is based on the standard Unix program file which identifies the type of a file based on its contents.

Wired News reports in Software Wants to be Free that "It's no secret that Apache is the most powerful, the most flexible, and the best Web-server software on the market"