Paul's Journal

Trying to help someone on IRC today.. their existing .htaccess file was very scary. It used the <Limit> directive, in completely the wrong context:

<Limit GET POST>
    require valid-user
</limit>

This means that any other HTTP method could access the site without any authentication. The kicker is that mod_php will allow any HTTP method. It doesn’t just restrict to GET or POST requests.

Apache by itself only by default allows GET and HEAD requests on static files. Anyways, let this be a warning, when you think you need <Limit>, you probally don’t. Ever. Really. I am Serious. Do not use ‘Limit’.

Most people really want <LimitExcept>. But, I believe that in most cases, you should avoid optional authentication. I think that authentication should be required for an entire path, and not optional, depending on how the client munges the request. Optional Client Certs are also a bastard to get working too, so the best solution is to just avoid the entire ‘optional’ authentication mindset.

4 Lines of code to send a segment of a Mailbox file to the browser:

    bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);

    e = apr_bucket_file_create(f, m->msg_start, m->body_end - m->msg_start,
                               r->pool,  r->connection->bucket_alloc);

    APR_BRIGADE_INSERT_TAIL(bb, e);

    return ap_pass_brigade(r->output_filters, bb);

Oh. And because of the magic inside httpd, this code will automagically use the file with NMAP for higher performance. How could it be any easier?

I will be in Stuttgart Germany the 18-22 of July for ApacheCon. My two accepted presentations are:

• What’s new in httpd 2.2
• Developing Applications with APR

See y’all there!

My mod_coredumper Apache Module is currently the Featured Project on code.google.com. Even cooler is that Google is sending me a T-Shirt!

Karma points to Google for Open Sourcing coredumper, I was happy just having fun writing mod_coredumper. Getting a T-Shirt is a nice bonus.

I am not one for posting politics on the blog much, but this is just silly:

You are asking the people who oppose you to just…. stop attacking your ideas? huh? Maybe trying to compromise with them, and reach a better plan would be better.

The Apache Tomcat Connectors are a complete mess. Here is the list of possible modules to connect HTTPD with Tomcat:

• mod_jserv
• mod_jk
• mod_webapp
• mod_jk2
• mod_proxy_http
• mod_proxy_ajp

mod_jserv was the original module. It is old. I can accept that. Code does get old. Bad ideas are rewritten in new code, but it doesn’t fix the fact that the idea is bad. It started the AJP format for sending requests around.

mod_jk was added in Tomcat 3.x. It expanded upon the AJP protocol that mod_jserv started with, but I found its configuration to be quite… well, perhaps crap is the best word to describe it. Oh, and for the win32 binaries, they give you a .dll that is named mod_jk-1.2.8-apache-2.0.52.so. Yes, your win32 module ends in .so. If you want to support windows users, just make an installer. Its blooody easy. Seriously. Use NSIS. Oh, mod_jk is also the only remaining connector that should be used ‘in production’.

mod_webapp was added in Tomcat 4.0(?). It used the WARP/1.0 protocol. It looks like the protocol didn’t add much advantage over AJP, and now its completely dead.

mod_jk2 was added in Tomcat 4.1(?). It was a refactor of mod_jk, using APR. It died a death from lack of developer love. All the people working on it stopped. Last December, the Tomcat Team officially dropped ’support’ for it.

mod_proxy_http has been around since httpd 2.0, and it doesn’t use some super special optimizaed protocol. It uses plain old HTTP to talk to the Tomcat server. Is string munging and inserting things into arrays and tables really that slow? Is there even a need for something like AJP?

mod_proxy_ajp, the newest of all these solutions, was added to httpd 2.1.0. It uses the same AJP protocol as the previous attempts, but instead of writing a proxy module from scratch, it uses the rest of the proxy framework.

Wait a minute. All that every single one of these modules do is PROXY A REQUEST to the Tomcat server. Its nothing extra. It only took 5 different Apache Modules and 3 different protocols, and none of them are close to perfect, and none of them are easy to configure.

The FAQ does have an entry about this.
It basically says that mod_jk is the only one that should be used in production.

A different issue that has me worried is how they word their download page:

Since November 2004 - JK2 is officially unsupported!

JK2 has been put in maintainer mode and no further development will take place.

JK will be fully supported for all relevant web servers.

While this sounds simple, I believe it is in psuedo violation of the Apache 2.0 License. My concern is that they are effectively providing a Warranty that mod_jk is fully supported. Also, Saying that mod_jk2 will be officially unsupported implies that something has ‘official support’.

I have had some of this discussion when I have talked about depreciating httpd 1.3.x. The reality is that very few developers actively work on 1.3. Yet, it is nneither officially supported or unsupported. This wishy washy stance hasn’t helped with the adoption of 2.0. I guess one day in a couple years, the 1.3 downloads will be pulled, after no one has done a commit for 5 years. The simple answer is that an open source project is never dead, but all of the developers can leave, making it quite cold to the touch. The long answer is that I don’t want to deal with Apache 1.3 bugs. Right now, other developers still want to fix bugs in 1.3, good for them. (and for any other unfortunate souls still using 1.3).

Oh. And Vonage sucks. They are what got me into a grumpy mood today. For the record, they got stuff wrong, way way way way more than 4 or 5 times.

I once had a problem.
I thought: "Oh, I know: I'll just use XML!"

Now I had two problems.

From a Post about XML databases. While on the topic of Databases, check out this older article by JWZ on message summary files. I found it after browsing on his site after reading his article about message threading for my hacking on mod_mbox.

suphp has been around for awhile now, but I do not understand why anyone would use it. On their page, it says:

To me, it looks like a bad reimplementation of CGI and suEXEC. Their FAQ isn’t very helpful either. I took a quick look at the source code, and it doesn’t even use mod_cgi or mod_cgid to execute the actual process. mod_cgid does some neat tricks to avoid the overhead of forking when you have a multi-threaded server.

It doesn’t to have see any advantage over suEXEC. It is even possible to use mod_fcgid to run each FastCGI as a different user, and it would be signifigantly faster than suPHP. So, my question of the day is, Why would anyone use suPHP?

This site is now running off the Event MPM, that I helped write.


I still have several sites that require PHP, so I am using mod_fcgid to run all of the remaining PHP Scripts via FastCGI.


Only the Until Uru Signup page had issues after the upgrade. This page was using the apache_add_output_filter function added by my apache2-filters patch for PHP. Since the PHP was no longer running inside apache, this function did not exist. The Until Uru templates are all built in XSLT, and the PHP was adding a XSLT Output Filter to process the XML it generates. To fix this, I modified the script send an extra header:

I then told mod_transform to act on this:

It seems everything else is working great. If anything is broken, please let me know.

Nimbus is our Giant Schnauzer, and he turned 1 year old last week. While he looks cute on the hammock this morning, this is deceptive. He was also responsible for dragging the garbage bags all over the yard twice this week.