As you probably know, the Apache Web server is the most popular web server around. According to the latest NetCraft survey it has statistical advantages over other web servers (totals for top servers, market share for top servers, totals for active servers and market share for active servers across all domains etc). From the security perspective it always had and still has better reputation then its main rival Microsoft's IIS, although some of the latest vulnerabilities have shaken Apache a bit.
About the authors
Rich Bowen, the lead author of this book, is a member of the Apache Documentation Project, and is responsible for parts of the official documentation of Apache. Rich has spoken about Apache at a number of conferences, including Comdex, Apachecon, and the O'Reilly Open Source Convention. Rich is CTO at Cooper McGregor, company offering Apache & mod_perl training.
An interview with Rich Bowen is available here.
Daniel Lopez is the author of Comanche, a quality cross-platform graphical tool for configuration and management of Internet services. He is working at Covalent Technologies, a San Francisco-based leading provider of enterprise solutions for the Apache Web server. As a trivia note, the company was founded by original Apache co-developer Randy Terbush.
Allan Liska is the author of the new security docs in the Apache documentation. He is also network engineer for WorldCom's hosting division.
Inside the book
"Apache Administrator's Handbook" covers the topics every Apache administrator should know or at least be familiar to. The book is spread over 400 pages and divided into 5 parts: Installing and configuring your Apache server, Advanced Configuration Techniques, Dynamic content, Security and auditing, Modules and an Appendix. The Appendix covers Apache software license and references such as configuration command line options, regular expressions, mod_perl example code, Apache history and information links. As the authors note, the book is not a comprehensive Apache manual, but tries to be a little more focused than that. It can be used as a companion to Apache documentation, rather then a substitute for it.
If you chose that your homepage or your company web site will be hosted on the Apache web server, the first chapter starts with guiding you through the details you should take into consideration. How much access do you need, can you afford the necessary connectivity, is your connection reliable - are just some of the questions you would think about. This is followed by 70 pages long walk through the Apache installation and configuration. This section covers source and binary installations, configuration directives, starting and stopping the httpd service, configuration utilities like Webmin and Comanche plus pros and cons of text-based configuration. Pretty useful .htaccess files and virtual hosts are also discussed in this part.
If you need to get the best out of your Apache, part 2 will be of much use, because it covers advanced configuration tips and tricks. If you are interested in URL mapping, content negotiation, making fancy directory listings or installing and running Apache on Microsoft Windows platform, you will find your answers in this part of the book. For making your server even more productive, there is a small seven pages long chapter on performance tuning. It focuses on the things you should check out for better optimizing your web server.
Most of the web sites on the Internet offer some kind of dynamic content. The third part of this book covers just that and talks about CGI Scripts, PHP, Server Side Includes and mod_perl. All of these sections give an overview, configuration and usage information on these topics.
Security is a vital part in the life cycle of any web server. According to the Incidents.org Internet Storm Center, right after the port 137 (netbios-ns), web server sitting port 80 is the most attacked one. As one of the book co-authors is the author of the new security docs in the Apache documentation, it was expected that security would have a fit place in the "Apache Administrator's Handbook". Apache was always seen as one of the most secure web servers, which can even be seen from John Pescatore's "after Code Red" Gartner report where he notes: "Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. Although these Web servers require some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers."
The Apache web server is secure, but there are lot of things you should have on mind. User permissions can offer your sensitive files to malicious users, FrontPage extensions were always called insecure, server side includes should be used cautiously, faulty CGI and PHP scripts can be used to compromise your system. With all this security breach possibilities, you, as the Apache administrator, should have the appropriate level of Apache security knowledge and must always be informed about new security issues. The fifth part of this book covers security and auditing topics that include basic security settings, dynamic content security, authentication and authorization, excluding spider activities and cryptography through the Secure Socket Layers (SSL).
The last part of the book covers installation and functionalities of Apache modules. This 25 page long chapter describes some of the most used modules and basically forwards the users needing to want more about the modules to Apache documentation.
There are lot of online texts covering Apache administration and Apache security, but from my perspective a book laying on your shelf gives a better and easily accessible reference. It is always better to have all the relevant information on one place, rather than browsing the net and trying to search through tons of white papers, articles and FAQs. Written by Apache experts, "Apache Administrator's Handbook" is a valuable book for Apache administrators and for people that want to go in-depth with knowledge about this powerful web server.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.