Apache Conference Videos and Slides

The ASF (Apache Software Foundation) organizes and hosts talks every year.

I’ve gathered links to keynotes from this year’s conference and videos from 2009 and 2008.

Start with the videos if you are mostly interested in the Apache Web Server. It seems to be a very small part of the 2010 slides.

ApacheCon US 2009 Videos: Hadoop Track, Apache HTTPD Track, Lucene Track.
ApacheCon US 2008 Videos: Apache HTTPD System Administration, Security, Administration.

2010 ApacheCon Slides and the schedule of the talks.

IIS vs. Apache, Reported Vulnerabilities

And round and round we go again: history repeating itself one more time.

So what’s the newest Microsoft FUD [Fear, Uncertainty, and Doubt] tactic these days…

Apparent, its getting a bunch of bloggers and security experts to regurgitate a statement containing the abstract fact that Apache has 33 reported “vulnerabilities” to IIS’ 3.

How exactly those numbers directly translate into a Web Server’s security mark, is of course left out.

Lets look at this issue a bit closer:

Apache serves 2/3rd of the internet. It has thousands of developers and companies around the world working with the codebase: constantly securing, improving, developing, and moving Apache forward.

This is considered to be a *bad thing* by the Micosoft camp? Vulnerabilities should not be looked for, nor reported and fixed.

So I have just one question: how many vulnerabilities would be reported for IIS if the source code was open?

I think it might also be prudent to…

  1. Break down the numbers of vulnerabilities for Apache core and specific modules.
  2. Reflect on the seriousness of the reported vulnerabilities… Is this just theoretical, of insignificant nature, has an exploit been developed [how about 3 years after the fact]?
  3. The time period between a vulnerability being reported and fixed.
  4. How many of the reported vulnerabilities did you actually needed to respond to?

Take a look for yourself…
Securina.com: Apache 2.0 Vulnerabilities
Apache.org: Apache 2.0 Vulnerabilities and Fixes

Throwing out abstract statistics has no purpose other than spreading FUD.

Instead, why not report on the merits of IIS itself… Specifically, on the improvements and features of IIS 6 and 7.

“Apache Performance Tuning” Article

I’m ashamed to say that its actually been quite a long time since I have written a new article for DeveloperSide.NET… My time has been taken up with other work.

Time-to-time, I have been questioned on the specifics of increasing the performance of an Apache-based Web Server, specifically our Web-Developer Server Suite. Not that the Suite itself, or the end-users, *need* an extra boost; the term *want* describe this odd, yet very familiar, phenomena much better. And one of the things I have learned is that you have to give the people what they _want_, and not what they _need_…

Trying to correct this oversight, I have put up an article that’s ready to squeeze every last bit of performance out of a Server:
Apache Performance Tuning

As all our Articles, and Guides, are works-in-progress, expect for some changes and updates to occur [I even go back and update/rewrite old blog posts].

Choosing Apache or IIS? Use Both

Why settle on just one Paradigm when you can have the best of both worlds? Use each Model with what it does best…

  • One Linux Server for Apache and PHP.
  • One Windows Server for IIS and ASP.NET.
  • Have one common database backend with SQL Server, MySQL, PostgreSQL, or Oracle.

Place Linux/Apache up front and ProxyPass requests/URLs to IIS, or use some other proxy server to handle the redirects.

And if you would like, everything can go under one Windows system by using WAMP. Just make sure to disable socket pooling.

In a way, with this method, you can also secure IIS by using mod_security under Apache. Though the days of IIS 5 are over, and I have to admit that IIS 6 and 7 are okay to stand on their own.

Apache vs. IIS

Recently, a few choice diagrams from the past of the mapped system calls that Apache and IIS perform have been making another round on the internet. So I thought I would add my 2 cents worth on the matter…

Why Windows is less secure than Linux

“Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture.”

Diagram of Apache’s internal system calls…
Apache System Calls

Diagram of IIS’s internal system calls…
IIS System Calls

I’ll let the images speak for them selfs, and comment on not the above, or the interpretation, but rather on the following…

“Apache cannot be compared to IIS. Apples and oranges!”

What… Why not? They have the same function, right?

“Apache, out-of-the-box, only serves static pages! It needs modules to add functionality. IIS, on the other hand, has all sorts of functionality built into it, such as running .NET applications and ASP.NET scripts. IIS is tied into Active Directory and many other Windows Server-specific technologies. It integrates with the OS!”

You say that like it’s a good thing.

“When you add enough extensions to Apache to provide it with abilities equivalent to IIS’s base functionality, it will make just as many system calls and be just as complex.”

We only have the baseline of what happens on one static HTML page and one image request. Anything else is a guess.

“Apache has 33 reported vulnerabilities. IIS has only 3 advisories!”

Apache? Meant to say “Apache modules”, didn’t you? As far as I know, having someone actually looking at the source, working out the bugs, *is* a good thing. The matter of people being sued and/or having their carriers ruined by reporting vulnerabilities of proprietary products also plays into this, don’t you think so?

“IIS has come quite a long way since the days of Windows NT/2000. IIS6 is a major improvement and IIS7 is a thing of beauty. When I show people how IIS 6 works, they become impressed.”

Maybe so.

Just to be fair, I will say this in defense of IIS…

Apache is written in C, while IIS is more of an OO C++ product — which can translate into more calls.

Taking another page from Apache’s playbook [good things get copied, right?]:

  • Microsoft has switched to a completely modular setup design with IIS7.
  • IIS 7 can now be configured from a text file (web.config).
  • IIS 7 can be administered from the command line with the Windows PowerShell administration environment.

“First they ignore you, then they laugh at you, then they fight you, then you win.” – Mahatma Gandhi.