In this issue

Apache Site: www.apache.org
Release: 1.3.1 (Released 22^nd July 1998) (local download sites)
Beta: None

Apache 1.3.1 is the current stable release. Users of Apache 1.2.6 and earlier should look at upgrading to this version, which provides additional features and has been subject to extensive testing.

The bugs listed below now include a link to the entry in the Apache bug database where the problem is being tracked. These entries are called "PR"s (Problem Reports). Some bugs do not correspond to problem reports if they are found by developers.

These bugs have been found in 1.3.1 and will be fixed in the next version.

Because of the major differences between Windows and Unix, these are separated into bugs which affect Windows systems only, and other bugs (which may affect Windows as well). Unix users can ignore the bugs listed in the Windows section.

• In an IfModule directive, placing a space between the ! and the module name will cause the IfModule section to always be executed. For example <IfModule ! modname.c> instead of <IfModule !modname.c>. The same problem occurs with <IfDefine ...>. From the next release, an error will be given if there is a space after the !.
• IIS servers seem to commonly generate invalid responses. In particular, they can issue multiple status lines (the "HTTP/1.0 200 OK" line) in amongst the response headers. This caused the proxy to core-dump. Since this is so common, the proxy module now accepts multiple status lines, logs the error, and handles the response as if it was valid. PR#2914.
• Configure failed to recognize some versions of SCO OpenServer, since they return the output of uname in a different case to other versions of this OS.

Patches for bugs in Apache 1.3.1 will be made available in the apply_to_1.3.1 subdirectory of the patches directory on the Apache site. Some new features and other unofficial patches are available in the 1.3 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Many common configuration questions are answered in the Apache FAQ.

The ability of the proxy module to proxy FTP requests has been improved. It now displays the current directory, if it is different from the directory supplied. Also if the username and password provided fail, it will prompt for a new username and password from the browser (by sending a 401 response to the client). This can avoid having passwords in the log file.

The proxy module will also support the HTTP/1.1 Via: header. This puts a header into the response, so clients can see if their request went via a proxy. This can be turned off with the ProxyVia directive.

Also, the proxy module now supports the HTTP/1.1 Max-Forwards: header, to allow TRACE requests to trace the proxies that a request goes through (provided the other proxies support Max-Forwards: as well).

If an ErrorDocument is handling a particular error, it can often find the error message in the ERROR_NOTES environment variable. Now if the error was caused by a bad CGI, the ERROR_NOTES will include the reason, such as "Premature end of script headers".

.htaccess files typically exist under the document root directory, so can be accessed via clients with the appropriate URL. However the files may contain information which should not be made public, such as the loation of corresponding htpasswd files, or rules for allowing or denying access.

One way to prevent clients seeing .htaccess files is to disable access to the particular filename. For example:

  <Files .htaccess>
  order allow,deny
  deny from all
  </Files>

From the next release of Apache, these lines will be included in the distributed srm.conf file.

ZDNet wrote about how a Microsoft executive is reacting to free software developments such as Linux and Apache. In Ballmer: Microsoft taking notice of free rivals Linux, Apache, the Microsoft president is quoted as saying he is "worried" about the growth of open-source operating systems, but that at the end of the day the total cost of a project is more important than whether the software is free.

This article is followed by a large number of reader responses.

The agenda for the upcoming Apache Conference is now available, with details of most of the sessions. This is the first ever conference dedicated to the Apache web server, and is being run by the Apache Group, with organisation and sponsorship by various commercial companies. It is aimed at both Apache developers and Apache users.

The conference will feature four tracks, covering dymanic content, performance tuning, security and case studies. There will also be a trade show.

The dynamic content track shows how to use Apache to run efficient dynamic sites. There are many ways to do this with Apache, and the track will feature talks on using PHP, Java (via mod_jserv) and Perl (via mod_perl). There will also be a talk on writing an Apache module directly in C.

The performance track will show how to tune your Apache configuration for the best performance. OS experts will also show how to tune Linux, FreeBSD and Windows NT for best web-serving. There will also be a talk about the current state of development of graphical configuration tools for Apache.

The security track will introduce the security concepts, including the new TLS specification for secure transactions (the successor to SSL). Other sessions will cover securing Unix systems and potential problems with running secure web servers.

The final track will offer case studies of how a variety of organisations are using Apache as their web server. The talks will cover practiical aspects of configuring and using Apache.

For more information, see www.apachecon.com.