In this issue

This is a double issue, covering two week's development activity because there was no Apache Week last week (August 7^th). This was due to moving office over that weekend, which meant that network access was disrupted for several days.

Apache Site: www.apache.org
Release: 1.3.1 (Released 22^nd July 1998) (local download sites)
Beta: None

Apache 1.3.1 is the current stable release. Users of Apache 1.2.6 and earlier should look at upgrading to this version, which provides additional features and has been subject to extensive testing.

The bugs listed below now include a link to the entry in the Apache bug database where the problem is being tracked. These entries are called "PR"s (Problem Reports). Some bugs do not correspond to problem reports if they are found by developers.

These bugs have been found in 1.3.1 and will be fixed in the next version.

Because of the major differences between Windows and Unix, these are separated into bugs which affect Windows systems only, and other bugs (which may affect Windows as well). Unix users can ignore the bugs listed in the Windows section.

Windows-specific Bugs

• CGI scripts do not work if the interpreter pathname (on the initial #! line) includes spaces. PR#2495.

Other Bugs

• Multiple white space characters in the configuration files or .htaccess files were being compressed to a single space (even within double-quoted strings).
• In previous releases, when suExec was enabled within Apache a message was printed to confirm this when Apache started. In 1.3.1 this message was not printed. It will be in the next release. PR#2761, PR#2765.
• The Rule IRIXN32 Configuration option for Irix systems was being ignored. PR#2736.
• Messages in the error_log did not contain the client IP address, but they used to in Apache 1.2.*. PR#2661.

One way of attacking a public web server is to send it very large amounts of data in a request. This could be a very long URI, a large number of headers, or a large body. Sending large amounts of data would cause the memory usage of the Apache child process to increase in proportion to the amount of data, eventually using all available resources and causing other processes to be swapped to disk, slowing the system. This is a "denial of service" attack, since it can affect the normal operation of the server, but does not give any access to the server system.

The next version of Apache will include directives which can be used to limit the size of various parts of a request. This will be configurable because the amount of data a site can accept or is prepared to accept will vary considerable. For example, sites which allow uploads of large files will want to allow large request body parts, but sites with only small POST forms may only want to allow small body parts.

The new directives are:

• LimitRequestLine, which limits the size of the first line of the request (the line that includes the request URI).
• LimitRequestFields, which limits the number of header lines in the request.
• LimitRequestFieldsize, which limits the size of each request line.
• LimitRequestBody, which limits the size of the body part of the request.

Patches for bugs in Apache 1.3.1 will be made available in the apply_to_1.3.1 subdirectory of the patches directory on the Apache site. Some new features and other unofficial patches are available in the 1.3 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Many common configuration questions are answered in the Apache FAQ.

The STATUS option in the Configuration file currently determines the amount of information recorded for use by mod_status on the status page. This can be set at compile time. From the next release, this option has been removed. Instead the extra status information can be recorded by setting a new run-time directive, ExtendedStatus.

The mod_speling module has been enhanced so that the CheckSpelling directive works on a per-directory basis. This means it can be used inside <Directory> containers and .htaccess files.

Code specific to OS/2 is currently surrounded by #ifdef __EMX__...#endif blocks. EMX is the name of a compiler used on OS/2, however most of the blocks like this are specific to OS/2, rather than the EMX compiler. From the next release, the OS/2 specific blocks will use the constant OS2 instead of __EMX__.

The "module magic number" is used to ensure that the version of modules match the version of Apache that they are being used with. Previously this was a single number, which was updated whenever the module API changed. Updating this number meant that all modules had to be recompiled to work with the newer version of Apache. However some modifications, such as adding a new API function, would not stop old modules from working, so recompilation should be not required.

From the next release, the module magic number will come in two parts: a "major" version number, which will be updated whenever a change is made that means that modules have to be recompiled, and a "minor" version number that will be incremented to mark additions to the module API. The major version will be used to check whether a pre-compiled module will still work with Apache. The minor number can be used by modules to see if new functionality is available to them. The module magic number and a list of past changes will be contained in the new file src/include/ap_mmn.h.

For the first time, the Netcraft Server Survey shows that Apache is used by more than half of the world's servers. Apache is now used on 50.35% of the servers surveyed, update 0.66% from last month. By comparison, Microsoft servers are used on 22.69% of sites (down 0.01%) and Netscape's on 8.22% (down 0.19%). If servers which are based on Apache but which have changed their "Server" identification are also included, then Apache code is used on 54.99% of servers (up 0.61%).

The Apache Reference Card has been updated to include all the Apache 1.3.1 functionality. This "card" is available as postscript and PDF files for printing onto a single sheet or six separate pages, in either US letter or A4 size.

The Apache Group is organising the first ever conference dedicated to Apache, which will be held in San Francisco this October. ApacheCon 98 is aimed at both Apache developers and Apache users. The tracks planned for the conference cover dymanic content, performance tuning, security and case studies. The conference will also feature a trade show.

For more information, see www.apachecon.com. As well as attending, there are opportunities to exhibit at the trade show, become a sponsor, or submit a paper to be presented.

This new section contains short announcements of jobs which require significant Apache experience. If you have an suitable job announcement, send the text or HTML (less that hundred words plus a URL) to editors@apacheweek.com. We reserve the right to refuse any announcement.

Web hosting company seeks Solaris / apache technical engineer. Part time hours. Good knowlege in UNIX, Perl, Frontpage98 administration and DNS. Reply in confidence to: gtie@club-internet.fr. attn: Apache job posting