OT: Apache Version Used

Brad Bartram bradbartram at ccsisp.com
Tue Dec 21 10:41:24 EST 2004


One of the things to keep in mind is that although the versions are 1 and 2, 
Apache 2 is not a true "upgrade" in the normal sense.  Due to the complete 
redesign of the internals of Apache 2 as well as the continued development of 
the 1.3 series, they can almost be considered two different applications.

The trend recently with the major distros has been to package apache 2 as the 
latest and greatest, but apache 1.3 is a very mature application and is very 
well supported.  Again, the ultimate decision comes down to your needs, but 
be aware of the limitations as well as the strengths of your decisions as 
they fit with your particular situation.

Now to be fair, Apache 2 can run php safely, although to do so requires 
running apache in a way that basically puts it into 1.3 mode and really 
negates most of the advancements of the Apache 2 engine, namely multi 
threading.  This is how most of the distros ship the configs on their apache 
2 installations, by default.

As Pete said about security.  The most important part of the security of your 
system is to know how your system normally runs when it's not hacked.  Most 
security incidents are discovered because something just doesn't look right 
to the admin.

Hope any of this helps.

brad

On Tuesday 21 December 2004 8:47 am, Cyber Source wrote:
> You should heed Brad's advise. I only know Brad briefly but he made a
> really nice presentation once at an nflug meeting and does have alot of
> knowledge when it comes to security. However, I don't think you should
> not make your decision based on the thinking that your safer staying
> with older software (obscurity = security). Software would never advance
> like that and updates are for fixing, amongst other things, security
> holes, bugs, etc.. Apache should also not be blamed for what it has no
> control over, like the php packages on your system. I know this from
> experience as the php packages that came with RH9 rpm's were badly
> broken because I was working with the developer for FreeMED and he
> developed his (php) FreeMED package on a debian box (different php, same
> versioning but compiled differently with the rpm's). So we tried just
> putting his FreeMED package on a FC1 box (same Apache version) and all
> was well. Before I got into RH and FC, I had a Mandrake server get
> hacked because I didn't keep the packages up to date and one of the
> packages had a security hole.
> So, I would advise to stay current and edit your /etc/aliases file to
> put a real email address for your root mail on the box (don't forget to
> start sendmail or equiv.) and keep an eye on your logs.
>
> Timothy Domst wrote:
> > So since I am planning on a rudimentary server and I have that manual
> > I should just use 1.3 until I have a reason to do otherwise.
> >
> > On Dec 20, 2004, at 10:03 PM, Brad Bartram wrote:
> >> Ahh - the old 1 vs 2 debate. ;-)
> >>
> >> What you use should depend largely on what you are using the server
> >> for. If
> >> you are using the server for php or pretty much most of the interpreted
> >> langauages like php, the answer is a resounding 1.3. Apache 2 and php
> >> should
> >> not be used in a production or live environment due to the security and
> >> stability issues that are raised.
> >>
> >> If you are using Apache with an external interpreter such as Tomcat
> >> or the
> >> like, then using Apache 2 is the hands down winner.
> >>
> >> The reason for the difference is really the same - threads. Apache 2
> >> can use
> >> a threaded operation that makes it perfect for a multithreaded
> >> application
> >> like tomcat but inherently unsafe for php.
> >>
> >> Just my $.02
> >>
> >> And to stay on topic - I use apache as I outlined above. In the rare
> >> instance
> >> I need both Tomcat and php support, I either divide the load using
> >> redirection and forwarding or if I need it all on one server I sacrifice
> >> Tomcat / apache performance and use 1.3 series.
> >>
> >> brad
> >>
> >> On Monday 20 December 2004 9:22 pm, Timothy Domst wrote:
> >>> Have you ever used 2? Does 1 give you any problems?
> >>>
> >>> On Dec 20, 2004, at 6:01 PM, Joshua Ronne Altemoos wrote:
> >>>> I use 1.3 becuase that is the default for slack10 which is on my
> >>>> server
> >>>>
> >>>>
> >>>> On Mon, 20 Dec 2004 17:35:24 -0500, Timothy Domst
> >>>>
> >>>> <timothy.domst at verizon.net> wrote:
> >>>>> I have SuSE 9.1 installed and it has Apache 2 on it, but I messed up
> >>>>> the settings or something. I have a book about Apache 1, and I had it
> >>>>> working well before when I had 9.0. Should I just install Apache 1
> >>>>> and
> >>>>> forget about 2? I would like to know what people with home servers
> >>>>> use.
> >>>>> i
> >>>>> Someone posted a link to Novell a while ago that got people on a list
> >>>>> for their Linux Technical Resource Kit. I'd like to thank them
> >>>>> because
> >>>>> I got one and it's conveniently got a bootable SuSE 9.1 DVD on it.
> >>>>> The
> >>>>> other stuff is on .iso files, though, and I tried to make bootable
> >>>>> CDs
> >>>>> out of them but I couldn't. How do I install these files?
> >>>>
> >>>> --
> >>>> Have A Good Day,
> >>>> Joshua Ronne Altemoos
> >>>> joshua.altemoos at gmail.com



More information about the nflug mailing list