CERN httpd 2.17beta released

Ari Luotonen (
Tue, 5 Apr 94 06:36:02 +0200

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

CERN httpd is a generic hypertext server which can be used as a
regular HTTP server running typically on port 80 to serve hypertext
and other documents, and also as a proxy -- a server on a firewall
machine -- that provides with access for people inside a firewall to
the outside world. When running as proxy httpd may be configured to
do caching of documents. Caching is still in beta test phase.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

CERN httpd 2.17beta is released, source code from:

This package includes EVERYTHING, so don't ftp the libwww.
Precompiled binaries are supplied for:

Fat NeXT-386:
DecStation Ultrix:

Precompiled binaries are all in cern_httpd_bins.tar.Z, which also
includes a default set of icons, and sample configuration files for
normal and proxy use. README file is now also up-to-date, and may be
useful reading.

For Sun4 there is also a cern_httpd_bins-lresolv.tar.Z which contains
an httpd linked with the -lresolv option.

Compilation for other Unix platforms should not be very complicated.
I would be happy to receive diffs, if any, to make it compile for
other platforms. Also binaries other than those already on are welcome.

Current VMS version is 2.16beta.

Documentation in:

and a PostScript version [68 pages]:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


General New Features

* PUT and POST can be configured to be handled by external CGI
scripts; PUT-Script and POST-Script directives
* BodyTimeOut for timing out scripts waiting for input that never
comes from clients
* IdentityCheck directive to turn on RFC931 remote login name
* REMOTE_IDENT for CGI giving remote login name; this was the only
feature missing to be fully CGI/1.0 compiant
* CGI/1.1 upgrade:
+ all the headers without a special meaning to CGI from CGI
scripts get passed to the client
+ Status: header to specify the HTTP status code and message
for client when not using NPH scripts
+ all HTTP request header lines which are not otherwise
available to the scripts get passed as HTTP_XXX_YYY
environment variables
* Understands conditional GET request with If-Modified-Since header
* kill -HUP causes httpd to re-read its configuration file
* PidFile directive for specifying the file to write the process id
[makes it easy to send the HUP signal
* ServerRoot directive to specify a "home directory" for httpd
* Directory listings with icons; by default icons are in icons
subdirectory under ServerRoot
* The precompiled binaries are distributed in a tar packet that
contains a set of default icons; the easiest way to configure the
icons is to just set the ServerRoot to point to the binary
distribution directory [its name is cern_httpd]
* Welcome directive to specify the name of the overview page of the
directory; default values are Welcome.html, welcome.html and, for
compatibility with NCSA server, index.html. Use of Welcome
directive will override all the defaults.
* AlwaysWelcome directive to configure if /directory and /directory/
are to be taken to mean the same thing, or should only /directory/
be mapped to the overview page and /directory produce the
directory listing.
* /~user causes an automatic redirection to /~user/
* Now gives also the Date: header.
* Port directive to config file specifying the port number to listen

Access Authorization Enhancements / Proxy Protections

* Now also domain name templates, like *, can be used in
specifying allowed hosts, not only IP number masks
* ACLOverRide directive to allow ACLs to override the Masks set in
the protection setup [without this feature ACLs cannot allow
anything more than what the Masks allow, only restrict access
further]. This directive disables Mask checking if an ACL file is
* Since setting up protection seemed to be unnecessarily hard, it is
now possible to give the protection setup in the main
configuration file instead of having to use a different file; it
is still ok to use a different file.
+ Protection directive defines a protection setup and
associates a name with it:

Protection prot-name {
AuthType Basic
ServerId Test-Server
PasswdFile /where/ever/passwd
GroupFile /where/ever/group
UserId someuser
GroupId somegroup
GET-Mask list, of, users, and, groups
POST-Mask list, of, users, and, groups
PUT-Mask list, of, users, and, groups

The content between the curly braces is the same as used to go
the the protection setup file. What's new is the possibility
to specify the UserId and GroupId for the clild process when
serving the request in protected mode. This is not possible
with external files for security reasons [it is not possible
inside the external file, but it is not possible if the ids
are set when calling that file; see doc for more details].
+ A single Mask directive for cases when GET-Mask, POST-Mask
and PUT-Mask are the same.
+ In Protect rule the prot-name is specified instead of the
file name; what's more is that Protect can now be used to
protect also proxied URLs:

Protect http:* prot-name
Protect ftp:* prot-name
Protect gopher:* prot-name

Enhancements, Fixes

* Incorporated Ian Dunkin's <> SOCKS modifications
(thank you, Ian!); read the README-SOCKS file in the source code
distribution for more information.
* SIGPIPE causes a normal child to exit; proxy child will correctly
stop writing to client socket but still writes to cache file
[previously just kept on writing to the socket, too]
* 401, 402, 403, 404 errors don't go to error log anymore
* error log contains now the host name and request
* no longer sends Content-Transfer-Encoding, we agreed upon using
Content-Encoding for compression
* fixed funny panic message from format module in verbose mode even
though everything was ok [only aesthetic]
* now gives again "not authorized" rather than not found if trying
to access a protected but nonexistant file; this way even
filenames don't leak
* all time specifications in configuration file have more readable

1 year
2 months
3 weeks 2 days
5 days 20 hours 30 mins 2 secs
2 weeks 20:30

* Case-sense bug with LogTime, LogFormat, DirAccess and DirReadme
fixed; now paramters really are handled in a case-insensitive

Proxy Additions, Fixes

* Proxy protections, see above
* Made proxy do smart guesses about the content of an unknown file
while retrieving from the remote; this will end the problems of
some files not being transferred to WinMosaic or Lynx. IMPORTANT:
Everybody, remove the rule [if you have it]:

AddType *.* text/plain

because it would disable this smart feature.
* Fixed a bug with unknown binary gopher files being truncated
* Fixed the bug with trailing slashes in ftp directory listings
* Fixed the bug with requests not being URL-encoded when forwarding
the request
* Fixed a bug with filenames in directory listings not being
* Fixed stupid "mail-us" situation in certain situations when ftp
load fails

Proxy Caching

* Cache is refreshed using the conditional GET method [use of
If-Modified-Since header]
* Standalone cache mode with CacheNoConnect directive [causes an
error rather than document fetch when the document is not in the
* Possibility to disable garbage collection altogether
* Possibility to disable expiry checking
* Caching Off to explicitly turn off caching even if there are other
caching directives specified
* -gc_only command line option to do garbage collection as a cron
job for sites that run httpd as a proxy from inetd. However, since
httpd now re-reads its configuration files when it receives a HUP
signal, it makes standalone operation now even more easy, and
inetd should no longer be much more convenient.
* Host names are converted to all-lower-case to avoid doing multiple
caching for a single site.
* Files expiring immediately never get written to the cache; not
even part of it.
* By default HTTP-retrieved documents without an Expires: and
Last-Modified: field never get cached [because they are usually
generated by scripts and should never be cached]; therefore I
strongly advice against the use of CacheDefaultExpiry for HTTP.
* Caching control directives have changed to take a URL template as
a first argument, and a more readable time format:

CacheDefaultExpiry ftp:* 2 weeks 4 days
CacheDefaultExpiry gopher:* 6 days
CacheUnused http:* 1 month
CacheUnused ftp:* 2 weeks
CacheUnused gopher:* 1 week 5 days 2 hours 1 min 30 secs

* Made the expiry date approximation configurable; by default
documents with Last-Modified: but without Expires: expire after
10% of the time that they have been unmodified.
CacheLastModifiedfactor can be used to change this value, or turn
this feature Off. Default value is 0.1 [=10%].
* Understands yet another date format:

Thu, 10 Feb 1994 22:23:32 GMT

This date format is not conforming to the spec, so use of it is
discouraged! This is only to make the proxy more robust.
* NoCaching directive to prevent certain URLs from being cached at
* Time margin to get rid of problems with machine clocks having
inaccurate times and confusing caching.
* GcDailyGc to specify a daily garbage collection time, by default
3:00. [Can be turned Off, too.]
* Now possible to disable GcReqInterval and GcTimeInterval [by
default disabled].
* Expired cache lock files get removed also during gc.
* CacheAccessLog to specify a different log file for cache accesses;
also possible to make a separate log for each remote host.


A new product cgiutils for producing HTTP1 replies from CGI scripts,
and for easily generating the Expires: header given the time to live,
e.g. "2 weeks 4 hours 30 mins". See:

This is a pair for the cgiparse program used to parse the input for
CGI scripts:

 Ari Luotonen		  | Henrik Frystyk		| Mark Donszelmann  |	|
 + 41 22 767 8583	  | + 41 22 767 8265		| + 41 22 767 3555

-------- World-Wide Web Project, CERN, CH-1211 Geneve 23, Switzerland --------