Apache 2.0 still has its share of growing pains. 5/16 Web Dev Weekly hed: The Apache evolution dek: Apache 2.0 still has its share of growing pains. By Garth Gillespie
I’ve sung Apache’s praises before, but in case you are unaware, Apache is Web-server software that runs almost 63 percent of the world’s Web sites, according to Netcraft’s April 2001 survey. You have to go down to the 20th percentile to find the second-place web server, Microsoft’s IIS, at 20.64 percent. Building on this success, the Apache Group has recently released the first beta of Apache 2.0, the much-anticipated rewrite and update of the Apache code base.
Apache 2.0 has been in the works for more than a year now. It has progressed through several alpha releases in which the structure has radically changed. Yet the goals of Apache 2.0 have remained: better request handling through Multi-Processing Modules (MPMs), a production-ready Microsoft Windows version, and a much simpler method to run Apache on anything, handled by the introduction of the Apache Portable Run-Time (APR). These goals have been the reason for the large overhaul of the current Apache code base. Along with the overhaul, the Apache Group has also been considering what, if any, additional functionality to distribute with the core program. One area conspicuously missing from Apache is native Secure Socket Layer (SSL) capabilities.
Because both IIS and iPlanet’s (formerly Netscape) Web servers feature SSL support, the lack of SSL capabilities in Apache has been a hindrance to the easy adoption of Apache as an all-purpose Web server. This lack has not been lost on the Apache Group, and there has been much discussion on the mailing lists about including an SSL option with Apache 2.0. Unfortunately, the discussion was more political than mechanical.
The history of SSL and Apache has not been pretty. Until April 1998, the only solutions to webmasters wishing to have an SSL-enabled Apache server were to buy products like Stronghold or Raven, or to attempt to integrate Apache-SSL, a free yet incredibly obtuse solution managed by Ben Laurie, a core member of the Apache Group. In response to this situation, Ralf Engelschall, another core member of the Apache Group, took it upon himself to make Apache-SSL much easier to install and maintain. He chose to use OpenSSL, a free SSL/TLS (Transport Layer Security) library as the encryption library for his module. As Apache-SSL is Open-Source, Engelschall used that as the basis for his work, and first offered it back to Laurie as an improvement to Apache-SSL. At that point, it became a battle of egos. Laurie did not like what Engelschall had done, and refused to accept the changes. So Engelschall released his modifications as mod_ssl, and two years later its share of the Apache-based SSL market has gained considerably.
Fast-forward now to March 2001 and the development of Apache 2.0. With support for SSL inclusion in the Apache distribution on the rise, mod_ssl supporters were disheartened to read this e-mail on the mod_ssl discussion list. Basically, work was progressing on a new Apache TLS framework that would, in theory, be able to use any SSL module to manage the SSL connections. However, the module to be chosen would be Apache-SSL.
The various Apache e-mail lists were soon in frenzy, with both the Apache-SSL camps and the mod_ssl camps crowing about how much better their solution is than the others. The rhetoric continued until April 27th, when Ben Laurie answered this long e-mail with a surprising acquiescence to using mod_ssl instead of Apache-SSL in Apache 2.0. As I am one who believes mod_ssl is a much better solution than Apache-SSL, I applaud this decision and look forward to the potential of the inclusion of a fine SSL/TLS module with Apache 2.0.
As one of the shining jewels of the open-source movement, I was saddened by the political rhetoric around the SSL issue. I am very happy to see its potential resolution, and look forward to coming success of Apache 2.0. The Apache Group deserves a great deal of credit for its work on this fine open-source product. For more information on Apache 2.0 internals, visit ApacheToday.
Garth Gillespie is architect and chief technologist of ComputerUser.com, which is running on LAMP (Linux, Apache, MySQL and PHP).