Apache 2.0.44 Released 198
rbowen writes "The Apache Software Foundation is pleased to announce the release of Apache 2.0.44, which addresses a number of security issues. Download it from your favorite mirror." Rich notes that it fixes some important security problems (under Windows) for the Windows version. Also interesting is that now there truly is a split between a development and regular releases, adopting the Linux kernel model, with 2.1 being the dev Apache tree and 2.0 being the release tree.
Here are some major differences (Score:5, Informative)
Actually a great article as a whole [aceshardware.com]
Re:What exactly are the differences... (Score:5, Informative)
Re:Who's using Apache 2? (Score:5, Informative)
We do on several of our servers. The main reason is that it's much, much easier to build an Apache server with SSL support on Apache 2 than it is on Apache 1.x, particularly if you're adding additional modules on top.
Re:Outsider Perspective (Score:5, Informative)
Apache 2.0... has new features built into it, however, it is still relatively new. And some bugs are still lying around here and there. I reverted to 1.3 because of serious bugs in the PHP module (in version 2.0.1x,
Apache 1.3... is "old", but has built a solid userbase because of this age factor. It is also proven reliable and stable code.
Re:Outsider Perspective (Score:4, Informative)
Re:Outsider Perspective (Score:5, Informative)
I was quite excited with 2.0.43 but ended up back at 1.3.27 because PHP 4.2.3 (haven't tried 4.3.0 yet) made Apache unstable, specifically when calling an 'apachectl restart' which made my pager go off due to the server segfaulting at 4am during logrotate. In my testing, it was PHP that caused this instability.
Also, with 2.0.43 I couldn't get it to build with anything but the OpenSSL package, which on my box was 0.9.6b (hole!) but I couldn't get it for the life of me to look at an alternate install of 0.9.6h.
2.0.44 will perhaps fix these problems.
Re:What exactly are the differences... (Score:3, Informative)
Production releases are more
- fully qa'd
- apache is more accountable if something goes wrong
- steady documentation
Dev versions are more
- unstable, they can have serious errors
- experimental, and have features that might be thrown away
- not fully documented, so using the greatest might be hard
- use at your own risk, it is a sandbox for development, not production quality
Apache 2.x and PHP and mini-howto (Score:5, Informative)
MOD PARENT DOWN (Score:4, Informative)
Re:Still no SSL for Windows (Score:5, Informative)
http://marc.theaimsgroup.com/?l=apache-httpd-de
IANAAD (I am not an Apache developer), so don't kill me if I'm wrong, but that's what I read from the mailing list...
THERE IS SSL Apache 2.0.4x for Windows!!! (Score:5, Informative)
Actually, the issues they have under Windows are legal and nothing else. In fact, it works just great (if you don't believe me, compile Apache with SSL under Windows (you'll need Visual C++ 5 and up)... Apache Software Foundation even gives you detailed instructions on how to do it! [apache.org])!
Since Apache 2.0.x is the first version of Apache for Windows that is largely considered a Production release they are debating the legal issues of releasing a BINARY version of Apache 2.0.x for Win32 compiled with OpenSSL libraries. This is especially the case since they are not SELLING the software to do it, so they can not really control who would use it. They will figure something out, but in the meantime, do not release it in their binaries.
As a matter of fact, Apache 2.0.4x Win32 can easily be setup to use OpenSSL and ModSSL! This is thoroughly explained at this web site [raibledesigns.com]. It even explains to you where to get binary distributions of it (not directly from Apache as discussed above).
In fact, on a single Pentium II or III with Win2k (even workstation) you have plenty of horsepower to use SSL and Apache 2.0.x. I would like to mention a couple of things, I use it in an academic environment and it has been running stable and secure for almost half a year now.
It has a commercial SSL certificate on it. Apache 2.0.x on Win32 is quite a bit tricky to get your private key and public certificate to work if it is PEM encoded. If it is not PEM encoded, it is a snap! That right there is one thing that can save you hours of head banging on wall! Make sure your key and certificate after you've received them are not PEM encoded for less aggravation. You can always run them through (at least the cert) OpenSSL to remove the encoding.
Also, your certificate chain must be put together the right way, but you should get instructions for that from your certificate authority.
I agree, Apache on Win32 is a much better choice than IIS. IIS can be a relatively secure product if administered properly. There are, of course, numerous security holes that have been publicized, and it should be mentioned that most were left open by the administrators who should have known better. They got IIS to work and didn't bother with security! Most of the reasons to NOT use IIS are the fact that you need at least NT Server 4, 5, 6, etc. (the workstation version of IIS is too limited for production usage) and the steep licensing that costs, and the fact that it has much more features than 99.9% of websites will need!
Apache, on the other hand, gives you a relatively secure environment from the get-go that makes you ADD the features you need. After working with Apache it should become apparent that this is clearly the way to go. Intelligent administration of servers can really make almost any modern OS relatively secure. Perhaps if Apache on Win32 catches on it may encite people to port more great open source server software to natively run on Win32 as Apache does (does not use Cygwin... though you CAN of couse, use the Cygwin version of Apache which won't perform as well as the Native Win32 version does). Plus, Apache can run just fine on NT workstation (saving plenty of money on the NT server licenses)!
Interestingly enough, Apache Win32 in our setup outperforms other departments at our institution using IIS on Win32! Perhaps benchmarks in this area should be publicized a bit more!
If you plan on running 2.0.44 under Win9x/ME... (Score:5, Informative)
Security issues? (Score:2, Informative)
Reverse Proxy/load balancer, Http/Https, very small, tight code, minimises security risks. No matter what web server you're using, this should solve most of your security problems.
Be careful upgrading (Score:3, Informative)
Cheers!
Apache and PHP (Score:2, Informative)