Book Review: Apache Cookbook

by Daniel Allen

Apache Cookbook

Authors: Ken Coar and Rich Bowen

Publisher: O'Reilly & Associates, November 2003

ISBN: 0-596-00191-6

Price: $29.95 US

Do you run an Apache web server? Do you know how to log your Apache server's error logs to syslogd? How about providing a default favicon image for multiple sites using Apache's ErrorDocument directive? Or how to monitor for brute-force password attacks against Apache's Basic Authentication? Or limit file-upload sizes with Apache directives?

These are a few of the tricks explained in O'Reilly's latest Apache book, the Apache Cookbook. This 236-page reference book has much to offer the Apache administrator who wishes to expand his or her Apache repertoire. This book covers Apache 1.3 and 2.0, under both UNIXish systems and Windows. The authors, Ken Coar and Rich Bowen, are long-time Apache users and active contributors to the Apache HTTPD Documentation Project.

As with other O'Reilly Cookbooks, the book is broken into recipes, which generally are independent problems and their solutions. The recipes are grouped into categories such as Logging, SSL, Virtual Hosts, Security and Performance. Recipes range in length and in complexity.

The book covers includes over 100 recipes, all from real-world problems solved by the authors and discussed in Usenet news, the Apache FAQ, Apache-related mailing lists and IRC channels and other locations. Some should be familiar to the seasoned Apache administrator, but many probably are new. Some examples include Perl code, which is clearly written and easily adapted to other scripting languages if necessary.

Example Recipe: Limiting Upload Size

To examine one representative example, recipe 6.4 is called "Limiting Upload Size". The problem is stated in a couple of sentences, the solution is given in one page of extended code, and a discussion follows with half a page of extended information.

In this case the problem is: when you allow file uploads, you might want to limit file sizes to, say, 10K. Many people (myself included) have solved this problem by checking file length within the CGI script that processes the upload. The solution described here is setting a policy for an upload location directly in Apache. The second solution makes sense, for example, on servers where you don't trust the CGI-writers or installers to do it themselves.

The book describes the basic solution as follows:

SetEnvIf Content-Length "^[1-9][0-9]{4,}" upload_too_large=1
<Location /upload>
  Order Deny,Allow
  Deny from env=upload_too_large
  ErrorDocument 403 /cgi-bin/remap-403-to-413

The solution illustrates a few interesting concepts: the SetEnvIf directive to set environment variables according to conditional values of other environment variables, checking those values with regular expressions and using environment variables within a Deny statement to control user access.

The solution continues with a 50-line Error Document CGI to differentiate between 403 errors (Document Forbidden) and 413 errors (file too large). The code is written clearly with many comments.

The discussion starts by briefly explaining why they included an ErrorDocument CGI instead of a simple HTML file. It turns out that Deny always changes the server response to a 403 error. Within the /uploads location, you might want to treat regular 403 errors (such as trying to access a forbidden page) differently from your newly created error from a too-large upload.

Next, the discussion points out where the CGI specifically sets the response Status (to 403 or 413). Without it, a response CGI always gives the Status code 200 OK, which is not what you want. This is a common programmer problem when writing Error Document CGIs, and it is worth flagging.

Last in the discussion is a warning about Content-Length. If the maximum is set too low, web form submissions (within the protected Location) could be denied as well. This is also a gotcha worth pointing out. Finally, there is a See Also to look at Chapter 9 on error handling).

Unfortunately, the Recipe does not cover a third potential answer: the Apache LimitRequestBody directive.

Good and Bad

The Apache Cookbook is clearly written. Material that I found particularly well written are the Troubleshooting section (which was put in Appendix B instead of receiving a chapter of its own, for some reason) and Chapter 11, "Performance". Both brought together in one place some advice I'd seen in various locations and some tips I didn't know. Other people may particularly appreciate Chapter 5, "Aliases, Redirecting, and Rewriting", which has 18 recipes for mangling and massaging URLs into shape, and Chapter 6, "Security", which has 28 recipes.

In a few recipes, the authors answer a question with "It's not possible." One example is the question, "Can you log users by their MAC address?" This sort of answer is to be commended, as many authors prefer not to share bad news even to frequently asked questions.

The length of the book is appropriate for general browsing and skimming. The recipes are generally short enough to allow you to skim a chapter in an hour or under, which is good.

As for the bad, cross-referencing between recipes is not as good as I would like. Many recipes have See Also sections, but they sometimes seem to miss natural comparisons that would be useful for the skimming reader. For example, Recipe 5.13, "Denying Access to Unreferred Requests," uses mod_rewrite, while recipe 6.5, "Restricting Images from Being Used Off-Site," uses FilesMatch and SetEnv as well as mod_rewrite to accomplish the same thing. Each has a unique See Also section that does not refer to the other. Similarly, recipe 9.1, "Handling a Missing Host Field" and recipe 12.6, "Handling Missing Host Header Fields" don't refer to each other.

In a few situations, concepts could have been explained earlier or with more detail. Chapter 11 describes how to use different MPMs without defining MPM or explaining that Apache 2.0 provides different swappable models for handling threads and processes. Recipe 6.20 talks about proxy security without introducing proxies or mentioning that they are the topic of Chapter 10. These are minor complaints, but they make the book less effortless to use in its paper version.

On the whole, the Apache Cookbook is a good addition to the Apache administrator or programmer's library. For the $29.95 US cover price, the paper copy is a reasonable investment. It also is available on Safari if you don't want a paper copy. Considering the cross-referencing difficulties, that format might be easier to use.

Load Disqus comments