In this issue

The new beta, 1.3b6, was released on Monday 20^th April. It is available as both source (for Unix), and a single-file installer for Windows. On both Unix and Windows the installation of this beta could overwrite configuration files and files under the htdocs directory, so be careful to either backup you current configuration or install to a new directory. Available from local download sites.

Apache Site: www.apache.org
Release: 1.2.6 (Released 24^th March 1998) (local download sites)
Beta: 1.3b6 (Released 20^th April 1998) (local download sites)

Apache 1.2.6 is the current stable release. Users of Apache 1.2.5 and earlier should upgrade to this version since it fixes a number of bugs and potential security problems.

These bugs have been found in 1.3 and will be fixed in the next beta (1.3b6)

Because of the major differences between Windows and Unix, these are separated into bugs which affect Windows systems only, and other bugs (which may affect Windows as well). Unix users can ignore the bugs listed in the Windows section.

Windows-specific Bugs

• The proxy and speling modules do not load on Windows 95. PR#1462.
• Configuration files are overwritten by the installer. PR#2118.
• Not all the timefmt tokens are supported in SSI directives. PR#2061.

Other Bugs

• Some debug messages may be printed when Apache starts, even if the LogLevel is set to a higher level.
• The new make install target may overwrite existing installed files within the cgi-bin and htdocs directories. It will overwrite any existing mime.types file in the installation target configuration directory (normally conf within the server root). PR#2084.
• The argument to CoreDumpDirectory can now be relative to the server root.
• Use of both --compat and --prefix with the new configure can conflict, with the prefix being ignored. PR#2128.

Patches for bugs in Apache 1.2.6 may be made available in the apply_to_1.2.6 subdirectory of the patches directory on the Apache site (this directory may not exist if no patches are available). Some new features and other unofficial patches are available in the 1.2 patches directory (these may not apply cleanly to 1.2.6). For details of all previously reported bugs, see the Apache bug database and known bugs pages. Many common configuration questions are answered in the Apache FAQ.

Development has slowed down to prepare for the release of Apache 1.3. During the beta release cycle Apache is in a "feature freeze" where no major new features will be added.

A new command line argument has been added for the next release which will make Apache display the virtual host settings it has read from the configuration file. This may be useful when debugging problems configurating virtual hosts. The new option is -S.

Files with particular extensions are mapped onto internal "handler" names with the AddHandler directive. This handler name is used to select which module will send the response back to the client. However if no module is available for a particular handler string, the default "core" module will send the file to the client. This might be a problem, and from the next release this will be logged as a warning.

For example, SSI's are normally enabled with a line like:

  AddHandler server-parsed shtml

The mod_include module is responsible for sending files mapped to the "server-parsed" handler. However if Apache is compiled without mod_include, or if this module is designed to be loaded dynamically but that fails, the files will be sent back by the default handler, resulting in the client seeing the embedded SSI directives. From the next beta, this situation would result in this new warning: "handler "server-parsed" not found, using default handler for: filename"

On every response, Apache includes its name and version number. All servers do this, and it is often used by surveys to analyse which web servers are in use (for example, Netcraft's server survey). Some larger modules also add their name and version number to server version, for example, mod_perl and mod_php. This is done when Apache is compiled. However now that dynamic modules are required on Windows, and becoming more widely used on Unix, the Apache module API will be extended to let modules add their information when they are loaded, without having to recompile Apache.

There has also been some discussion about adding information about the operating system, for example, identifying Windows, Unix or OS/2 systems. This would enable surveys to find out how the use of Apache on these three types of operating systems varies. In the past the inclusion of OS specific information on the server response has been considered a possible security problem, however there are other methods to determine if a remote system is (say) Windows or Unix based. So it is possible that a future release of Apache will allow the inclusion of the OS type on the server version, as a user-configurable option.

Dynamic loading of modules will by supported on OpenBSD systems from the next beta release.

Performance Computing contains an article about The Apache HTTP Server. This article treats Apache seriously, and gives a farirly realistic assessment of its strengths and (particularly for Windows) weaknesses. It does however describe Apache code as being under the GPL license, where as in fact Apache is under a license much closer to the less restrictive FreeBSD license. For example, the Apache license allows for commercial use of the code in products which are not themselves available as source-code, subject to an "advertising" clause.