Book Review: Apache Cookbook

Apache Cookbook

Authors: Ken Coar and Rich Bowen

Publisher: O'Reilly & Associates, November 2003

ISBN: 0-596-00191-6

Price: $29.95 US

Do you run an Apache web server? Do you know how to log your Apache server's error logs to syslogd? How about providing a default favicon image for multiple sites using Apache's ErrorDocument directive? Or how to monitor for brute-force password attacks against Apache's Basic Authentication? Or limit file-upload sizes with Apache directives?

These are a few of the tricks explained in O'Reilly's latest Apache book, the Apache Cookbook. This 236-page reference book has much to offer the Apache administrator who wishes to expand his or her Apache repertoire. This book covers Apache 1.3 and 2.0, under both UNIXish systems and Windows. The authors, Ken Coar and Rich Bowen, are long-time Apache users and active contributors to the Apache HTTPD Documentation Project.

As with other O'Reilly Cookbooks, the book is broken into recipes, which generally are independent problems and their solutions. The recipes are grouped into categories such as Logging, SSL, Virtual Hosts, Security and Performance. Recipes range in length and in complexity.

The book covers includes over 100 recipes, all from real-world problems solved by the authors and discussed in Usenet news, the Apache FAQ, Apache-related mailing lists and IRC channels and other locations. Some should be familiar to the seasoned Apache administrator, but many probably are new. Some examples include Perl code, which is clearly written and easily adapted to other scripting languages if necessary.

To examine one representative example, recipe 6.4 is called "Limiting Upload Size". The problem is stated in a couple of sentences, the solution is given in one page of extended code, and a discussion follows with half a page of extended information.

In this case the problem is: when you allow file uploads, you might want to limit file sizes to, say, 10K. Many people (myself included) have solved this problem by checking file length within the CGI script that processes the upload. The solution described here is setting a policy for an upload location directly in Apache. The second solution makes sense, for example, on servers where you don't trust the CGI-writers or installers to do it themselves.

The book describes the basic solution as follows:

SetEnvIf Content-Length "^[1-9][0-9]{4,}" upload_too_large=1
<Location /upload>
  Order Deny,Allow
  Deny from env=upload_too_large
  ErrorDocument 403 /cgi-bin/remap-403-to-413

The solution illustrates a few interesting concepts: the SetEnvIf directive to set environment variables according to conditional values of other environment variables, checking those values with regular expressions and using environment variables within a Deny statement to control user access.

The solution continues with a 50-line Error Document CGI to differentiate between 403 errors (Document Forbidden) and 413 errors (file too large). The code is written clearly with many comments.

The discussion starts by briefly explaining why they included an ErrorDocument CGI instead of a simple HTML file. It turns out that Deny always changes the server response to a 403 error. Within the /uploads location, you might want to treat regular 403 errors (such as trying to access a forbidden page) differently from your newly created error from a too-large upload.

Next, the discussion points out where the CGI specifically sets the response Status (to 403 or 413). Without it, a response CGI always gives the Status code 200 OK, which is not what you want. This is a common programmer problem when writing Error Document CGIs, and it is worth flagging.

Last in the discussion is a warning about Content-Length. If the maximum is set too low, web form submissions (within the protected Location) could be denied as well. This is also a gotcha worth pointing out. Finally, there is a See Also to look at Chapter 9 on error handling).

Unfortunately, the Recipe does not cover a third potential answer: the Apache LimitRequestBody directive.