Worry-Free Web Server -- Redmondmag.com

Worry-Free Web Server

Users say Apache 2.0 is a robust, flexible and secure Web server that just plain works.

By Joanne Cummings
01/01/2006

The open source Apache Web server is by far the most popular Web server in the world. According to Netcraft Ltd.’s December 2005 survey, nearly 70 percent of the developers they surveyed said they worked with Apache. That same survey revealed that only 20 percent worked with its nearest competitor, Microsoft’s IIS.

Those numbers make sense, readers say, because Apache is the most robust, flexible and secure Web server available. Its support for open standards makes it easier to work with, especially for sites that use the PHP scripting language. And you certainly can’t beat the price.

“Apache is rock solid,” says David Grecco, president and senior consultant at Grecco Consulting Services LLC in Austin, Texas, who runs Apache 2.0 to support his customers on three servers -- two hosted in Canada and one in Austin. “It just works and it’s free. You can’t beat that.”

Support Is Not An Issue
Even though Apache is an open source tool, Grecco has no worries when it comes to support or resolving problems. “The support you get from the open source community is just fantastic. If you’re having a problem with something, chances are that somebody else has already encountered it and posted a solution for it.”

In many cases, he’s had his Apache questions answered faster than questions about commercial software. “If you ask a question, many times someone will answer you within a half hour or 10 minutes,” he says, noting that he uses the Apache forum and another site called Linux Questions. “I posted a question once and got a response in five minutes. That’s pretty responsive.”

That level of responsiveness also extends to future versions and features, which are driven by the Apache user community. “Apache is maintained by the user community,” says Frank Wald, senior Web developer at Siteworx Inc. in Reston, Va. “If the whole user community of Apache one day says let’s never implement this feature, chances are, it will never go in that direction.”

Grecco considered using Microsoft’s IIS Web server running on Windows to support his sites, but that would have been too difficult to configure to work with PHP, which his Joomla! content management system required. “Officially, IIS supports PHP, but it’s difficult to make work,” he says. “Eventually, I gave up and just went to Linux and Apache. I quickly found out that for Web services, Apache and Linux just kills.”

Other PHP users agree. “We didn’t use IIS because it’s more difficult to configure with PHP,” says Robert Nelson II, an instructor in the information technology department at Blinn College in Bryan, Texas. Getting IIS to work with PHP is possible, he says, just not easy.

“One of my students configured IIS for PHP and he got it to work,” Nelson says. “He found a Web site where someone had developed a step-by-step process for configuring IIS to work with PHP correctly, but it was quite a few pages long. Not the easiest thing in the world.”

Plays Well With Windows
Nelson says his students run Apache 2.0 on both Linux and Windows servers, and for the most part it behaves the same way on both platforms. “All three -- Apache, MySQL and PHP -- present themselves the same way to the Windows world and the Unix/Linux world,” Nelson says.

For users leery of Apache and Linux, Grecco says most Linux servers come with a graphical interface that makes it easier to work with. “I think a lot of people are afraid of Linux and Apache because they think it’s all command-line driven,” he says. “I use an open source tool called Webmin, which is basically a browser interface for managing your Linux system. It’s as easy to administer as Windows.”

What's New in Apache 2.2?

The new branch offers several key enhancements. Apache 2.2 debuted in December 2005 as the next major, stable branch of the vaunted Web server -- the first since 2.X debuted in 2002. It includes four key enhancements to the underlying core:

Authn/Authz: The new version separates and refactors the bundled authentication and authorization modules. Construction of new authentication back ends is much easier thanks to a new back-end provider.
Caching: After many changes to mod_cache, mod_disk_cache, and mod_mem_cache, they’re now considered production-quality. You can now clean up mod_disk_cache setups with htcacheclean.
Proxying: The new mod_proxy_balancer provides load balancing services for mod_proxy. The mod_proxy_ajp module supports the Apache JServ Protocol Version 1.3 used by Apache Tomcat (http://tom cat.apache.org).
Smart Filtering: Mod_filter introduces dynamic configuration to the output filter chain. It lets you conditionally insert filters based on any request, response header, or environmental variable, and dispenses with the more problematic dependencies and ordering problems in 2.0.

-- J.C.

Apache 2.0 made many improvements over version 1.3, users say. “We’re using Apache as a gate keeper, and then we use mod_proxy plus some other custom modules to create a reverse proxy inside the company,” says Wald. Apache 2.0 shored up its mod_proxy module, which makes building a reverse proxy easier. “That way, Apache is a single sign-on for a log-in, and then it can be a reverse proxy to get to all the resources on the inside based on that single sign-on.

“We still have to use some other third-party modules to make the whole thing happen,” says Wald, “but the new mod_proxy really helped.”

Better control of the sequence in which modules are loaded is another 2.0 improvement. “Version 2.0 provides an easier and more flexible way to bind modules together, and also bind routines in modules that do specific items,” he says.

Wald says this was important when setting up his firm’s remote authentication. “I had to work very hard to get those modules to load in the proper sequence for mod_proxy to do the reverse authentication,” he says. “Under Apache 1.3, I attempted some of this but I got only so far. Under 2.0, it’s just a snap.”

Things will only get better, especially in terms of authorization and authentication, now that version 2.2 of Apache is generally available, he says. “They’ve split apart the modules in 2.2, so now one is for authentication and one is for authorization. That allows me more ways of connecting to the back end. That is really cool.”

The one feature Wald would like to see improved is Apache’s logging ability, although he found a third-party open source module, called pgLOGd, that works for now. “I’ve always loathed the logging in Apache,” says Wald. His company wanted to use Apache to send logs to a single source, then distribute them to various files and databases. “Apache can rotate its logs and run other programs, but it starts an instance up for each process, and we didn’t want that.”

Apache’s performance is more than snappy, users say, especially considering the platforms on which it runs. “I like the performance better under 2.0 than 1.3,” says Wald. “There are some significant enhancements to the speed.” He says this is due to Apache’s multiple processor support, server improvements and hardware improvements.

Grecco agrees, and says running Apache on Linux opens up other hardware options. “If you’re just running Web services, you can take a machine that’s three to five years old and it runs fine, especially under Linux. Windows requires a lot more resources, so you have to be more careful about the hardware.”

Safe and Secure
The main reason many users look to Apache is its reputation for security, especially compared to Microsoft IIS. “If you’re doing basic HTML and some simple scripting, there are tons of examples out there of how to secure it, there are many people willing to help you on the forums, and it’s free,” says Wald. “Apache comes with some sample configurations and scripts that will help you keep it secure, but you have to invest the time to learn about it.”

Apache closes security holes after installation, whereas IIS sometimes leaves holes open. “It changed a little under Windows 2003 and IIS 6.0, which is more secure. But with IIS 5.0 under Windows 2000, the install was wide open,” says Wald. “It would install this and that, allow WebDAV remote authoring and so on. Users would have to go in and turn everything off to make it secure. With Apache, you have to turn things on before they’re open, which is a better way to go.”

Apache is best suited as an Internet Web server. “Apache does one thing well. It does Web services,” says Grecco. “Microsoft IIS is made to integrate with all the Microsoft products. That’s great for an intranet, but if you’re going to host to the outside world, that’s when you run into security issues. Apache is a better way to go.”

About the Author

Joanne Cummings is principal writer and editor for Cummings Ltd., a freelance editorial firm based in North Andover, Mass.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.