In this issue

Apache Site: www.apache.org
Release: 1.2.4 (Released 22^nd August 1997) (local download sites)
Beta: 1.3b3 (Released 20^th November 1997) (local download sites)

Apache 1.2.4 is the current stable release. Users of Apache 1.2.3 and earlier should upgrade to this version. The next release will be 1.3. A beta test release of 1.3 is available now for both Unix and Windows 95/NT systems.

These bugs have been found and fixed in 1.3b4.

Because of the major differences between Windows and Unix, these are separated into bugs which affect Windows systems only, and other bugs (which may affect Windows as well). Unix users can ignore the bugs listed in the Windows section.

Windows-specific Bugs

• The header line of the status module display did not match the columns underneath.
• Absolute paths (such as to AuthUserFile) were not properly recognised
• URLs passed on by the proxy module were being converted to lowercase
• Very long URLs could cause the server to crash
• The info module is not thread safe

Other Bugs

• RedirectMatch gone / can cause a core dump
• If the header part of a response is 256 bytes long, Netscape Navigator (all versions to 4.0b2) will not display the page. This was fixed in 1.2, but it seems that the problem also occurs with 255 byte headers.

Patches for bugs in Apache 1.2.4 may be made available in the apply to 1.2.4 directory on the Apache site. Some new features and other unofficial patches are available in the 1.2 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Also many common configuration questions are answered in the Apache FAQ.

Development has slowed down to prepare for the release of Apache 1.3. During the beta release cycle Apache is in a "feature freeze" where no new features will be added. The only changes from now on will be bug-fixes.

A busy week for Apache in the News, with three articles this week. In the first, a dubious survey shows Netscape is the most used server and Apache is only used on 8% of sites. This article is also highly inaccurate in describing Apache. The second report shows the significance of free software in today's Internet, while the third highlights one individuals contributions to Apache, but still describes Apache as "shareware".

The first article, from ZD Net's Internet Magazine mentions Apache the Web Servers part of its 10 Technologies You Need in 1998 article. However it manages to get almost everything about Apache wrong: Apache is described as "shareware", from an organisation having "13 directors", and is apparently "retreating" because people are moving from Unix to NT. All of which is wrong: Apache code is completely free (for commercial and non-commercial use, including re-sale, provided the license is followed), there is no Apache organisation, and the use of Apache according to the Netcraft server survey is still a very healthy 49.90%.

In addition to these factual inaccuracies, this article reports a dubious survey by Zona Research that gives Apache 8% of the Internet server market, Microsoft and 42% and Netscape 28% (the 8% figure does not appear in the online article, but is showing on a graph in the print version). These figures come from a survey of technology managers, and are unlikely to reflect the real use of Apache, if only because Apache does not appear as an expense within budgets. Zona research, incidently, produced a survey in August (as reported in Media Daily under Netscape Maintains Market Share) that gave Netscape 85% of the web server market (and 0% for Apache). Like ZD Net's reporter, these people do not seem to understand free software, or that in the real world people do use Unix for their servers.

Showing that reporters can understand the concept of free software, San Jose Mercury shows that There's money to be made in freeware. The article lists Linux, Apache and Perl as examples of free software that has made significant impact. It then shows how the FSF's Copyleft is designed to enable software to remain freely available by requiring users who modify software to make their modifications available. (Of course, Apache and Perl are not restricted in this way, and may be used in commercial products and resold under their own licenses).

The final news item, from Inter@ctive Week, lists The Top 25 Unsung Heroes Of The Net. At number 2 is Brian Behlendorf, one of the original Apache developers who started out patching up the old NCSA http server (hence the "Apache" name). Brian is still active in the group, and also provides and maintains the server used for development and master distrubution (www.apache.org). However Apache is written by a much larger group of people, a random selection of whom are listed in this article. But this article still makes the mistake of describing Apache as "shareware", which again shows that many reporters lump everything that is freely available as "shareware", despite the fact that it may be public domain, freely available, or commercial.

Microsoft have compared their IIS 4 beta 3 with Apache 1.2. Naturally they only list features which IIS has and the other surveys may not have - no features unique to Apache (such as language negotiation, URL typo correction and digest authentication) are mentioned. For some reason, they used Apache 1.2 rather than the latest beta for comparison, and Apache 1.2 does not even run on NT, so rather unsurprisingly it does not have support for the NT management console, NT event logging, integrated NT security, DCOM, ISAPI, Microsoft Message Queue, WinCGI, server-side ActiveX scripting or NT performance monitor.

The table of features starts with "browser-neutral host header support", which is unclear. If it refers to name-based (host-header) virtual hosts, then Apache has supported them for a long time, and supports them for all browsers which correctly implement the Host header. It then shows that Apache, a web server, does not support SMTP (mail server) or NNTP (news server) protocols, which is hardly surprising since it is a web server.

Besides being selective in which which Apache featrues are listed, the table has some inaccuracies and some dubious answers. The wrong answers are:

• Log to any ODBC database: Apache does not have this built in, but it is available through various means with additional modules
• Auto log closing and restart: Apache has this with the "rotatelogs" program, which is part of the distribution
• Language neutral server-side development: Apache fully supports arbitrary language negotiation on the server side.
• Compile-free server side scripting: obviously Apache supports this, via embedded SSI (or with additional modules, embedded perl, python and several other languages), plus of course any scripting language via CGI.
• Java Virtual Machine: Apache does not have this built in
• Online support: Apache is listed as "No", but online support is available through an open and accessible bug-tracking database (not available for IIS) and through direct access to the developers via a newsgroup (not available with IIS).
• Consulting, commercial support: listed as "No", but these are available through a variety of third-party organisations.

The approach taken with IIS, which is common to NT software, is to build as much as possible into the program. This can make it initially easier to use, but of course restricts upgrade paths and can prevent users configuring the server exactly how they want it. Traditionally on Unix, programs are designed to work with other programs, to allow maximum flexibility. Because of this, Apache has a lot of No's in its column compared to IIS, but the equivalent (and sometimes better) functionality is available from a variety of add-on products. Some of the answers that would turn to Yes's include log file analysers, SSL support, browser administration, data replication, publishing, link validation, full-text indexing and searching and commercial support.

Finally there are some dubious answers. These include

• Application and component process isolation: this is listed as Yes for IIS and No for Apache. Rather strangely it should be the other way around: Apache has much better process isolation than IIS. In Apache, even an error in a linked module causing a crash will not affect any requests in progress. On IIS, because it uses multithreading and overlapped IO, a faulty ISAPI extension can cause all current transactions to die. In IIS 4 you can provide process isolation for some applications, but this is a slower and optional.
• User authentication with encrypted passwords: Apache supports the standard "digest" authentication protocol to do this, whereas IIS does not (so there answer should be "No" in the IIS column of this item, not yes). IIS 4 can use NT Server authentication, but only with Windows 95 and Windows NT clients, whereas digest authentication can work with any standard-compiant browser (but, by a strange co-incidence, MSIE for example does not support digest authentication).
• Uses file security ACLs: Apache is listed as No because it does not support NT ACLs, but since it runs on Unix and not NT this is not surprising. The answer is Yes, Apache respects file access controls (indeed, Unix applications have to respect them).
• SSL, crypto and X.509 support: IIS is listed as Yes, and Apache as No. However IIS outside the US and Canada cannot support encryption at greater than 40 or 56 bits, which is easy to break. So IIS security support outside the US is, for practical purposes, non-existant. Because of the same export rules, Apache does not have encryption build in, however both free (Apache-SSL) and commercial (Stronghold and others) versions of Apache support full-strength encryption world-wide. The IIS answers for all encryption items in the table should be noted as being insecure anywhere except the US and Canada.

It is good to see, however, that Microsoft at least are taking Apache seriously as a potential competitor in the web server market unlike some of the press reports in recent months.

And finally, a Merry Christmas to everyone from all at Apache Week. The next issue will be on the 9^th January 1998.