Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.15 Changelog
  • Untangled the buildconf script and eliminated the need for build's aclocal.m4, generated_lists, build.mk, build2.mk, and a host of other libtool muck that is now under srclib/apr/build. [Roy Fielding]
  • Win32: Don't accept more connections than we have worker threads to handle. [Bill Stoddard]
  • Fix bug in the Unix threaded.c MPM that allowed child processes to fork() new child processes. [Bill Stoddard]
  • SECURITY: Fix a major security problem with double-reverse lookup checking. Previously, a client connecting over IPv4 would not be matched properly when the server had an IPv6 listening socket. PR #7407 [Taketo Kabe ]
  • Change the way the beos MPM handles polling to allow it to stop and restart. Problem was the sockets being polled were being reset by the select call, so once it had accepted a connection it was no longer listening on the UDP socket we use for shutdown instructions. APR needs to be altered, patch on it's way. [David Reid]
  • Empty out the brigade shared by ap_getline()/ap_get_client_block() on error exit from ap_getline(). Some other code got upset because the wrong data was in the brigade. [Greg Ames, Jeff Trawick]
  • Handle ap_discard_request_body() being called more than once. [Greg Ames, Jeff Trawick]
  • Get rid of an inadvertent close of file descriptor 2 in mod_mime_magic. [Greg Ames, Jeff Trawick]
  • Add a hook, create_request. This hook allows modules to modify a request while it is being created. This hook is called for all request_rec's, main request, sub request, and internal redirect. When this hook is called, the r->main, r->prev, r->next pointers have been set, so modules can determine what kind of request this is. [Ryan Bloom]
  • Cleanup the build process a bit more. The Apache configure script no longer creates its own helper scripts, it just uses APR's. [jean-frederic clere ]
  • Stop the forced downgrade of the connection to HTTP/1.0 for proxy requests. [Graham Leggett]
  • Avoid using sscanf to determine the HTTP protocol number in the common case because sscanf is a performance hog. From Mike Abbot's Accelerating Apache patch number 6. [Mike Abbot , Bill Stoddard]
  • SECURITY: Fix a security exposure in mod_access. Previously when IPv6 listening sockets were used, allow/deny-from-IPv4-address rules were not evaluated properly (PR #7407). Also, add the ability to specify IPv6 address strings with optional prefix length on Allow and Deny. [Jeff Trawick]
  • Enhance rotatelogs so that a UTC offset can be specified, and the logfile name can be formatted using strftime(3). (Brought forward from 1.3.) [Ken Coar]
  • Reimplement the Windows MPM (mpm_winnt.c) to eliminate calling DuplicateHandle on an IOCompletionPort (a practice which MS "discourages"). The new model does not rely on associating the completion port with the listening sockets, thus the completion port can be completely managed within the child process. A dedicated thread accepts connections off the network, then calls PostQueuedCompletionStatus() to wake up worker threads blocked on the completion port. [Bill Stoddard]
  • Bring forward the --suexec-umask option which allows the builder to preset the umask for suexec processes. [Ken Coar]
  • Add a -V flag to suexec, which causes it to display the compile-time settings with which it was built. (Only usable by root or the AP_HTTPD_USER username.) [Ken Coar]
  • Mod_include should always unset the content-length if the file is going to be passed through send_parsed_content. There is no to determine if the content will change before actually scanning the entire content. It is far safer to just remove the C-L as long as we are scanning it. [Ryan Bloom]
  • Make sure Apache sends WWW-Authenticate during a reverse proxy request and not Proxy-Authenticate. [Graham Leggett ]