Book Review: Apache Cookbook

 in
A lot of helpful tips and advice make up for a few shortcomings.

Apache Cookbook

Authors: Ken Coar and Rich Bowen

Publisher: O'Reilly & Associates, November 2003

ISBN: 0-596-00191-6

Price: $29.95 US

Do you run an Apache web server? Do you know how to log your Apache server's error logs to syslogd? How about providing a default favicon image for multiple sites using Apache's ErrorDocument directive? Or how to monitor for brute-force password attacks against Apache's Basic Authentication? Or limit file-upload sizes with Apache directives?

These are a few of the tricks explained in O'Reilly's latest Apache book, the Apache Cookbook. This 236-page reference book has much to offer the Apache administrator who wishes to expand his or her Apache repertoire. This book covers Apache 1.3 and 2.0, under both UNIXish systems and Windows. The authors, Ken Coar and Rich Bowen, are long-time Apache users and active contributors to the Apache HTTPD Documentation Project.

As with other O'Reilly Cookbooks, the book is broken into recipes, which generally are independent problems and their solutions. The recipes are grouped into categories such as Logging, SSL, Virtual Hosts, Security and Performance. Recipes range in length and in complexity.

The book covers includes over 100 recipes, all from real-world problems solved by the authors and discussed in Usenet news, the Apache FAQ, Apache-related mailing lists and IRC channels and other locations. Some should be familiar to the seasoned Apache administrator, but many probably are new. Some examples include Perl code, which is clearly written and easily adapted to other scripting languages if necessary.

Example Recipe: Limiting Upload Size

To examine one representative example, recipe 6.4 is called "Limiting Upload Size". The problem is stated in a couple of sentences, the solution is given in one page of extended code, and a discussion follows with half a page of extended information.

In this case the problem is: when you allow file uploads, you might want to limit file sizes to, say, 10K. Many people (myself included) have solved this problem by checking file length within the CGI script that processes the upload. The solution described here is setting a policy for an upload location directly in Apache. The second solution makes sense, for example, on servers where you don't trust the CGI-writers or installers to do it themselves.

The book describes the basic solution as follows:



SetEnvIf Content-Length "^[1-9][0-9]{4,}" upload_too_large=1
<Location /upload>
  Order Deny,Allow
  Deny from env=upload_too_large
  ErrorDocument 403 /cgi-bin/remap-403-to-413


The solution illustrates a few interesting concepts: the SetEnvIf directive to set environment variables according to conditional values of other environment variables, checking those values with regular expressions and using environment variables within a Deny statement to control user access.

The solution continues with a 50-line Error Document CGI to differentiate between 403 errors (Document Forbidden) and 413 errors (file too large). The code is written clearly with many comments.

The discussion starts by briefly explaining why they included an ErrorDocument CGI instead of a simple HTML file. It turns out that Deny always changes the server response to a 403 error. Within the /uploads location, you might want to treat regular 403 errors (such as trying to access a forbidden page) differently from your newly created error from a too-large upload.

Next, the discussion points out where the CGI specifically sets the response Status (to 403 or 413). Without it, a response CGI always gives the Status code 200 OK, which is not what you want. This is a common programmer problem when writing Error Document CGIs, and it is worth flagging.

Last in the discussion is a warning about Content-Length. If the maximum is set too low, web form submissions (within the protected Location) could be denied as well. This is also a gotcha worth pointing out. Finally, there is a See Also to look at Chapter 9 on error handling).

Unfortunately, the Recipe does not cover a third potential answer: the Apache LimitRequestBody directive.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Newer please

Anonymous's picture

Is there no newer book on Apache?? Within maybe the past 4 years???

I really recommend this book

Datei Upload's picture

I really recommend this book because it´s very helpful for all Apache newbies. It is very clearly written and offers a lot of tips and tricks.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix