July 5, 1996

The major news this week has been the release of Apache 1.1. This is the end result of several months of beta testing, and represents a major upgrade in functionality since the 1.0 series. This issue of Apache Week is devoted to covering 1.1. We have also written a detailed guide to the changes in 1.1, with links to the full Apache documentation: check out our Guide to 1.1.

New in 1.1

Apache 1.1 implements persistent connections using Keep-Alives. It can handle virtual hosts without using additional IP addresses. The main server can listen to specified IP addresses and/or ports, and it can listen to more than one at once.

New modules provide details of the current configuration and the server's running status. Other new modules implement a means of passing environment variables to CGI programs, permitting 'anonymous' access to authenticated areas, and the use of more secure 'digest' authentication.

Internally, Apache now implements 'handlers' as a means of identifying processing to be applied to requests, which was previously done by using special 'magic' mime-types. CGI programs can now be called for particular extensions (mime types) or for a given request method (e.g. to implement a PUT script).

An initial proxy cache module is included, but the code hasn't been as fully tested as other parts of the server, so might still be a little unstable. The imagemap module has been overhauled, providing new directives and functionality.

It is now possible to turn off resolving hostnames at run time, and to use ErrorDocument and Redirect in .htaccess files.

Upgrading from Previous Versions

Upgrading to 1.1 is mostly a case of download the new server (either binary or source followed by compilation) and replacing the old binary. Then the new features can be tried and used. The following is a list of changes to existing functions that might affect a site.

• <Limit>
  The <Limit> directive now applies only to methods explicitly listed. Previously it applied to all methods. Any sites relying on this unexpected effect might need to update their configurations. For example, the directive <Limit POST> used to limit GETs as well. If the intention is to limit GETs, it will need updating to <Limit GET POST>.
• AuthUserFile
  In an effort to make .htpasswd files more secure, the AuthUserFile directive should now be given a full path file. Previously a filename could be given, should was assume to reside in the current directory. Since this is below the document root, it meant that the .htpasswd file itself could be retrieved by anyone.
• XBitHack
  XBitHack behavour now only applies to files on type text/html. Previously files on any type would be parsed for includes, including binary files. This prevents this happening, but might affect unusual sites which use includes in files other than text/html.
• Imagemap
  The imagemap cgi-bin program is no longer distributed. The built-in imagemap module should be used instead.
• Scoreboard File
  The record of child processes (the scoreboard) is no longer stored in a file on most systems. On systems which implement shared memory, the scoreboard is now kept in memory, which should result in better performance. This means that the httpd_monitor program has nothing to monitor, and should not be used. Some systems cannot use shared memory, so these will continue to use a scoreboard file.

Bugs

• Redirect in .htaccess problems
  Using the Redirect directive in .htaccess files does not work properly. Using Redirect in the server configuration files works fine, so this will only affect people making use of the new ability to put Redirects into .htaccess files. Because of the bug, this should not be done.
• Cookies log format
  The user tracking module, mod_cookies, can output incorrect log lines.