Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.

Apache has been the most popular web server on the Internet since April of 1996. The October 2004 Netcraft Web Server Survey found that more than 67% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.

The Apache HTTP Server is a project of the Apache Software Foundation.

Here are some key features of "Apache2":

Core Enhancements

Authn/Authz

- The bundled authentication and authorization modules have been refactored. There is a new authentication backend provider scheme which greatly eases the construction of new authentication backends.

Caching

- mod_cache, mod_disk_cache, and mod_mem_cache have undergone a lot of changes are now considered production-quality. htcacheclean has been introduced to cleanup mod_disk_cache setups.

Proxying

 The new mod_proxy_balancer module provides load balancing services for mod_proxy. The new mod_proxy_ajp module adds support for the Apache JServ Protocol version 1.3 used by Apache Tomcat.

Regular Expression Library Updated

- Version 5.0 of the Perl Compatible Regular Expression Library (PCRE) is now included.

Smart Filtering

- mod_filter introduces dynamic configuration to the output filter chain. It enables filters to be conditionally inserted, based on any Request or Response header or environment variable, and dispenses with the more problematic dependencies and ordering problems in the 2.0 architecture.

Large File Support

- httpd is now built with support for files larger than 2Gb on modern 32-bit Unix systems. Support for handling >2Gb request bodies has also been added.

Event MPM

- The event MPM uses a seperate thread to handle Keep Alive requests and accepting connections. Keep Alive requests have traditionally required httpd to dedicate a worker to handle it. This dedicated worker could not be used again until the Keep Alive timeout was reached.

SQL Database Support

- mod_dbd, together with the apr_dbd framework, brings direct SQL support to modules that need it. Supports connection pooling in threaded MPMs.

Module Enhancements

mod_authnz_ldap

- This module is a port of the 2.0 mod_auth_ldap module to the 2.2 Authn/Authz framework. New features include using LDAP attribute values and complicated search filters in the Require directive.

mod_info

- Added a new ?config argument which will show the configuration directives as parsed by Apache, including their file name and line number. The module also shows the order of all request hooks and additional build information, similar to httpd -V.

mod_ssl

- Added a support for RFC 2817, which allows connections to upgrade from clear text to TLS encryption.

Program Enhancements

httpd

- A new command line option -M has been added that lists all modules that are loaded based on the current configuration. Unlike the -l option, this list includes DSOs loaded via mod_so.

Module Developer Changes

APR 1.0 API

- Apache 2.2 uses the APR 1.0 API. All deprecated functions and symbols have been removed from APR and APR-Util. For details, see the APR Website.

Connection Error Logging

- A new function, ap_log_cerror has been added to log errors that occure with the client's connection. When logged, the message includes the client IP address.

Test Configuration Hook Added

- A new hook, test_config has been added to aid modules that want to execute special code only when the user passes -t to httpd.

Set Threaded MPM's Stacksize

- A new directive, ThreadStackSize has been added to set the stack size on all threaded MPMs. This is required for some third-party modules on platforms with small default thread stack size.

Protocol handling for output filters

- In the past, every filter has been responsible for ensuring that it generates the correct response headers where it affects them. Filters can now delegate common protocol management to mod_filter, using the ap_register_output_filter_protocol or ap_filter_protocol calls.

Monitor hook added

- Monitor hook enables modules to run regular/scheduled jobs in the parent (root) process.

Product's homepage

What's New in This Release: [ read full changelog ]

· SECURITY: CVE-2011-3348 (cve.mitre.org)
· mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized.
· SECURITY: CVE-2011-3192 (cve.mitre.org)
· core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714.
· SECURITY: CVE-2011-3607 (cve.mitre.org)
· core: Fix integer overflow in ap_pregsub. This can be triggered e.g. with mod_setenvif via a malicious .htaccess.
· configure: Load all modules in the generated default configuration when using --enable-load-all-modules.
· mod_reqtimeout: Change the default to set some reasonable timeout values.
· core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove the inode. PR 49623.
· mod_lua: Expose SSL variables via r:ssl_var_lookup().
· mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName} can now additionally be run as "early" or "late" relative to other modules.
· configure: By default, only load those modules that are either required or explicitly selected by a configure --enable-foo argument. The LoadModule statements for modules enabled by --enable-mods-shared=most and friends will be commented out.
· mod_lua: Prevent early Lua hooks (LuaHookTranslateName and LuaHookQuickHandler) from being configured in , , and htaccess where the configuration would have been ignored.
· mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors in LuaMapHandler scripts
· mod_log_debug: Rename optional argument from if= to expr=, to be more in line with other config directives.
· mod_headers: Require an expression to be specified with expr=, to be more in line with other config directives.
· mod_substitute: To prevent overboarding memory usage, limit line length to 1MB.
· mod_lua: Make the query string (r.args) writable.
· mod_include: Add support for application/x-www-form-urlencoded encoding and decoding.
· rotatelogs: Add -c option to force logfile creation in every rotation interval, even if empty.
· core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
· mod_session_crypto: Refactor to support the new apr_crypto API.
· http: Add missing Location header if local URL-path is used as ErrorDocument for 30x.
· mod_buffer: Make sure we step down for subrequests, but not for internal redirects triggered by mod_rewrite.
· mod_lua: add r:construct_url as a wrapper for ap_construct_url.
· mod_remote_ip: Fix configuration of internal proxies. PR 49272.
· mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific server IP endpoint and remote client IP upon connection.
· mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with PeerExtList().
· mpm_prefork, mpm_worker, mpm_event: If a child is created just before graceful restart and then exits because of a missing lock file, don't shutdown the whole server. PR 39311.
· mpm_event: Check the return value from ap_run_create_connection. PR: 41194.
· mod_mime_magic: Add signatures for PNG and SWF to the example config. PR: 48352.
· core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items from the parsed (or default) config. This is useful for init scripts that need to setup temporary directories and permissions.
· core, mod_actions, mod_asis: Downgrade error log messages which accompany a 404 request status from loglevel error to info. PR: 35768.
· core: Fix hook sorting with Perl modules. PR: 45076.
· core: Enforce LimitRequestFieldSize after multiple headers with the same name have been merged.
· mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory usage. PR 51618.
· mod_ssl: At startup, when checking a server certificate whether it matches the configured ServerName, also take dNSName entries in the subjectAltName extension into account. PR 32652, PR 47051.
· mod_substitute: Reduce memory usage and copying of data. PR 50559.
· mod_ssl/proxy: enable the SNI extension for backend TLS connections
· Add wrappers for malloc, calloc, realloc that check for out of memory situations and use them in many places. PR 51568, PR 51569, PR 51571.
· Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is false but RLIMIT_* are defined. PR51371.
· core: Correctly obey ServerName / ServerAlias if the Host header from the request matches the VirtualHost address. PR 51709.
· mod_unique_id: Use random number generator to initialize counter. PR 45110.
· core: Add convenience API for apr_random.
· core: Add MaxRangeOverlaps and MaxRangeReversals directives to control the number of overlapping and reversing ranges (respectively) permitted before returning the entire resource, with a default limit of 20.
· mod_ldap: Optional function uldap_ssl_supported(r) always returned false if called from a virtual host with mod_ldap directives in it. Did not affect mod_authnz_ldap's usage of mod_ldap.
· mod_filter: Instead of dropping the Accept-Ranges header when a filter registered with AP_FILTER_PROTO_NO_BYTERANGE is present, set the header value to "none".
· core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' in the case Ranges are being ignored with MaxRanges none.
· mod_ssl: revamp CRL-based revocation checking when validating certificates of clients or proxied servers. Completely delegate CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck directive for controlling the revocation checking mode.
· core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200.
· mod_cache: Ensure that CacheDisable can correctly appear within a LocationMatch.
· mod_cache: Fix the moving of the CACHE filter, which erroneously stood down if the original filter was not added by configuration.
· mod_ssl: improve certificate error logging. PR 47408.
· mod_authz_groupfile: Increase length limit of lines in the group file to 16MB. PR 43084.
· core: Increase length limit of lines in the configuration file to 16MB. PR 45888. PR 50824.
· core: Add API for resizable buffers.
· mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such as Tivoli Directory Server 6.3 and later.
· mod_ldap: Change default number of retries from 10 to 3, and add an LDAPRetries and LDAPRetryDelay directives.
· mod_authnz_ldap: Don't retry during authentication, because this just multiplies the ample retries already being done by mod_ldap.
· configure: Allow to explicitly disable modules even with module selection 'reallyall'.
· mod_rewrite: Check validity of each internal (int:) RewriteMap even if the RewriteEngine is disabled in server context, avoiding a crash while referencing the invalid int: map at runtime. PR 50994.
· mod_ssl, configure: require OpenSSL 0.9.7 or later.
· mod_ssl: remove ssl_toolkit_compat layer.
· mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
· mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the cookie is set when modules such as mod_rewrite trigger a redirect. Also use r->err_headers_out for the cookie, for the same reason. PR29755.
· mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and 'proxy-source-port' request notes for logging. PR 30195.
· configure: Enable ldap modules in 'all' and 'most' selections if ldap is compiled into apr-util.
· core: Add ap_check_cmd_context()-check if a command is executed in .htaccess file.
· mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
· mod_authn_socache: Fix to work in .htaccess if not configured anywhere in httpd.conf, and introduce an AuthnCacheEnable directive. PR 51991
· mod_xml2enc: new (formerly third-party) module supporting internationalisation for filters via smart charset sniffing and conversion.
· mod_proxy_html: new (formerly third-party) module to fix up HTML links in a reverse proxy situation, where a backend generates URLs that are not resolvable by Clients.