httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <ad...@rowe-clan.net>
Subject Re: Apache 2.0 for multi protocol usage
Date Wed, 11 Apr 2001 13:45:22 GMT
Recognize please that 2.0 is holding for the completion of:

  * TLS(SSL) features and directives (right now it's _too_ vanilla)
  * Proxy, if it is concievable that the module is back on track for GA with 2.0.

What is being proposed isn't 'new features', its a simple reorganization so that
'stateful' protocols can handle different parts of a conversation with the client
intellegently, instead of hacking more cruft into the server.

I can't imagine that it will take more than two weeks to get the hashed-out
changes stable for Beta release.  [I say hashed out since we have more discussion
before we come to concensus.  Suppose the entire ordeal takes one month.]

I don't see FTP becoming a 'core module' any more than Proxy.  By keeping both 
Proxy and other protocols seperate, we keep the base server more stable, and
simplify releasing security fixes for FTP and Proxy.

If there is a core security flaw, then the world grinds to a halt for a full
Apache core release.  Since a the majority of security flaws are in the transport, 
(such as escaping/unescaping URIs) I don't expect that to happen.

Heck, for that matter, HTTP could (in a later release) become a seperate distrib,
with a master rollup of HTTP+FTP+Proxy.  Again, a single .so binary would address
any security hole without a full rollout, by replacing nothing more than the
single mod_http.so or mod_ftp.so.

To go on with _why_ we need to look at this _today_, on http grounds alone, this 
change is required if we plan to attack RFC2817, "Upgrading to TLS within HTTP/1.1"
anytime in the next two years.  HTTP/1.1 becomes 'stateful' - at least in the
context of the HTTP->SSL transition.

If we ignore that, RFC2817 waits for Apache 3.0 (no, never a 2.x release, since
we will have rearranged the core structures!!!)  My guess is the fall of 2003.

This means named secure vhosts and new http-based protocols such as RFC2565 
(internet printing protocol) can't and won't happen for 2+ years on Apache.  

I find _that_ unacceptable :-(

Bill


From: "Jeffrey A. Stuart" <jstuart-apache@neo.rr.com>
Sent: Wednesday, April 11, 2001 6:40 AM


> NO NO NO NO NO!  Please do NOT HOLD up Apache 2.0 for multi-protocol!!!  WE
> HAVE to have an apache 2.0 out SOON!!!!  I'm sorry, I feel very strongly about
> this... :)  While the idea of one server handling multiple protocols is an
> interesting one (IIS has been able to handle HTTP and FTP for a long time
> now), I'm not sure if this is really something that we want.  IE if there's a
> security bug in part of the core apache, boom suddenly not only our web server
> but our FTP server are compromised... that's bad IMNSHO.
> 
> -----Original Message-----
> From: harrie@lisanza.net [mailto:harrie@lisanza.net]On Behalf Of Harrie
> Hazewinkel
> Sent: Wednesday, April 11, 2001 5:09 AM
> To: new-httpd@apache.org
> Subject: Re: Apache 2.0 for multi protocol usage
> 
> Various people have indeed various opinions. More then a year ago
> Apache 2.0 already provided good capabilities for scaling. IMHO,
> they should have released that already as a seperate version.
> Even if it did not have so much other functionality over 1.3, like
> filtering. It had enough good things and it would have showed
> progress to the world. I believe since it already took so long,
> people are willing to wait for the good and extra features
> (if I may call the multiprotocol proposal a good feature).



Mime
View raw message