Zeus 4.2r4 -> 19th November 2003 ================================ Zeus 4.2r4 is a minor revision of Zeus Web Server 4.2r3, containing a number of enhancements. You are recommended to upgrade if you use the client certificate authentication feature. Platform Alterations since 4.2r3 -------------------------------- * On Linux, we now statically link against the Berkeley DB library to avoid problems with Linux distributions which do not supply libdb.so.2. For information on the Berkeley DB License, refer to: $ZEUSHOME/web/bin/LICENSE.libdb Program Alterations and Bug Fixes since 4.2r3 --------------------------------------------- * SSL Improve client certificate handling to avoid Denial of Service attacks with large key pairs. Improve stability when parsing badly formed certificates. The version 0 protocol between Zeus Load Balancer and Zeus Web Server has been removed. If you are using the Zeus Load Balancer to balance SSL requests to the Zeus Web Server, you need to add the tuneable "tuning!ssl_zws_protocol 1" to the Zeus Load Balancer global.cfg file. * NSAPI: Improve re-initialization following an NSAPI application crash. * Gateway: Correctly pass the path info as part of the URL * Perl: Zeus Perl Extensions now provide improved memory management, and the default process restart limit has been set to 2000 requests. This increases stability of buggy third-party mod_perl applications. The previous behaviour (no process restart) can be configured by setting: tuning!modules!perl!external!restartmaxconnections 0 in the $ZEUSHOME/web/global.cfg file. * Rewrite: Fix conversion of the Apache [qsa] rewrite option. Zeus 4.2r3 -> 23rd July 2003 ============================ Zeus 4.2r3 is a minor revision of Zeus Web Server 4.2r2, containing a number of bug fixes and minor enhancements. The Zeus Admin Server has been extensively audited, and several potential cross-site- scripting vulnerabilies have been closed. You are recommended to upgrade when convenient to take advantage of the improvements. Platform Alterations since 4.2r2 -------------------------------- * Added support for the IBM ICA Cryptographic Accelerator on AIX 5 (32 and 64bit) and Linux PPC (32 bit). See http://support.zeus.com/doc/zws/v4/man/zeus.ssld.1.html Program Alterations and Bug Fixes since 4.2r2 --------------------------------------------- * The Zeus Administration Server (web interface) has been audited, and a number of potential cross-site-scripting vulnerabilites have been resolved. * A virtual server will now refuse to start if the Access, NSAPI, ISAPI or Perl modules report a failure when they initialize. Previously, the virtual server would disable the modules and continue to start up. * NSAPI The NSAPI function 'load-modules' searches locations in the LD_LIBRARY_PATH for modules when a relative path is used. It aborts startup if a module cannot be found or is invalid. Module functions can abort startup by returning REQ_ABORTED at Init. An NSAPI function can now modify the query string, path info and path translated. util_uri_escape() and util_url_escape() now allocate temporary memory when the caller does not provide any. Added support for nsapi cs (counting semaphore) functions. Solaris 8 versions now work with WebSphere (missing dependency). * SSL: Fixed a potential crash when using client certificates. * Tomcat/JServ support: Fixed a potential bug which would cause Tomcat to prematurely close a connection when receiving a large POST request. * Throttle module: Reduced CPU usage of throttle module when throttling very large numbers of virtual servers. * htaccess: The arguments to the 'Require' directive are no longer case-sensitive. Zeus 4.2r2 -> 4th March 2003 ============================ Zeus 4.2r2 is a minor revision of Zeus Web Server 4.2r1, containing a fix to a problem that affected certain installations of the Zeus Administration Server. Bug Fixes since 4.2r1 --------------------- * A bug in the Administration Server meant that it would not start up unless it could access a valid web server licence key. This would affect users who installed the Administration Server in 'standalone' mode, or who had an expired (evaluation) licence. Zeus 4.2r1 -> 25th February 2003 ================================ Zeus 4.2r1 is a minor revision of Zeus Web Server 4.2, containing a number of performance and functionality improvements, and several bug fixes. There is no need to upgrade unless you wish to take advantage of these changes. Platform Alterations since 4.2 ------------------------------ * Added AIX5 64 bit version Program Alterations since 4.2 ----------------------------- * SSL Improvements SSL performance has been improved on all platforms. TLS v1.0 support has been added. TLS v1.0 is enabled by default; however clients that support SSLv3 will continue to use SSLv3 as it is faster. To disable TLSv1.0 support, add the tuneable 'tuning!support_tls1 no' to your $ZEUSHOME/web/global.cfg file. The SSL diskcache on multi-cpu machines has been replaced by a much faster implementation using shared memory. The on-disk diskcache can be re-enabled by adding the tuneable 'tuning!ssl_diskcache_mmap no' to your $ZEUSHOME/web/global.cfg file. httpclient supports SSLv2, SSLv3 and TLSv1.0. Use 'httpclient --help' for more information. * htaccess Improvements Added support for the Apache mod_expires htaccess directives 'ExpiresActive', 'ExpiresByType' and 'ExpiresDefault'. This allows fine control over the 'Expires' HTTP header. For more information, see the Apache module documentation. * New ZWS4Conf Perl Module A ZWS4Conf perl module lets administrators manage virtual server configuration files using a Perl API. For more information, refer to the ZWS4Conf.pm man page, using 'man ZWS4Conf'. * Unattended Installation support The installation script (zinstall) can now save the answers to the installation questions to a replay file; the replay file can then be used on a different install to automate the installation process. For more details, see the support site FAQ at the following URL: http://support.zeus.com/faq/zws/v4/entries/unattendedinstall.html * Request Rewriting Request Rewrite scripts can now set and perform matches on the 'remote_host', 'remote_addr', 'request_method' and 'remote_user' variables. * The version numbers reported by the Apache::Request and Apache::Cookie perl module have been updated. Bug Fixes since 4.2 ------------------- * Fixed a compatibility problem with WebLogic 6.1sp4 and later in the 'netbuf_getbytes' NSAPI function. * Fixed some HTML escaping issues with the Content Negotiation feature. * Fixed a potential NSAPI runner crash while using nsapisnoop. * Changes to the query string in the Perl API are now honoured. * Fixed a potential protocol error when performing large posts with the AJPv13 protocol. Zeus 4.2 -> 21st November 2002 ============================== Platform Alterations since 4.1 ------------------------------ * Added Linux IA64 version * Added AMD Opteron version * Removed Linux glibc2.0 Intel version * Removed FreeBSD 3 version * Removed BSDi version * Removed OpenBSD version Major Alterations since 4.1 --------------------------- * Zeus Perl Extensions Zeus Web Server 4.2 includes Perl API support which provides compatibility with Apache mod_perl: * Zeus Perl Extensions allow third-party mod_perl applications to run unmodified in the Zeus Web Server, and provide a means to create flexible Web Server extensions in Perl. * The Zeus::ModPerl::Registry module can be used to cache and accelerate Perl CGI scripts. * Perl handlers can be embedded in SSI-generated pages using the '#perl' command. See Chapter 15 ("Using Zeus Perl Extensions") of the User Guide, and the technical documentation installed in $ZEUSHOME/zperl/docs for further information. Perl Extensions are not currently supported on AMD Opteron or MacOSX. * HTAccess improvements Zeus Web Server now supports the 'AddHandler', 'SetHandler' and 'RemoveHandler' directives in .htaccess files. 'SetHandler perl-script' is commonly used to cause files to be handled by the Perl Runner. The DirectoryIndex directive is now supported. , , and sections are supported in addition to the existing syntax. The 'Include' directive can be used in the global.htaccess file. * ISAPI In-process ISAPI filters can use the SF_REQ_DISABLE_NOTIFICATIONS server support function, allowing filters to register for notifications and then selectively disable themselves for improved performance. Lookups using GetServerVariable() are now 50% faster. * NSAPI 64-bit versions of the 'nsapisnoop' debugging tool can now trace 32-bit versions of the NSAPI runner. The NSAPI runner has been substantially reworked to provide even more improved performance. * CGI Scripts as handlers When running as a handler, a CGI script can run as the uid and gid of the requested file, rather than the uid and gid of the handler binary. * Request Rewriting Request Rewrite scripts can now test for the presence of files or directories on the filesystem, and query the physical filename or MIME type corresponding to a given URL using the 'map' and 'look' commands. The 'execute' command can be used to call a rewrite script contained in an external file. Converting to Zeus from Apache mod_rewrite rules via the UI has been improved. See Section 8.7 ("Configuring Request Rewrite Scripts") of the User Guide for more information. * Logging Additional directives are recognised in the custom log format string, to log more details about requests. See Section 9.2 ("Configuring Request Logging") of the User Guide for more information. If the web server process is started as the root user, log files are now written as the owner (uid/gid) of the parent directory containing the log file, as a security precaution. If the file cannot be written to, then an error is logged to the global error log file. For the old behaviour, where files are written as root, set the global.cfg tunable "tuning!logmanager_open_as_root yes". * Real Time Monitoring "Grouped Reports" have been added for easy access to Real Time reports on related server functionality. You can now choose to display the values monitored as a line graph or pie chart. Extra counters have been added for SSL and ISAPI, and http.bytes has been renamed to http.bytes_out and a new http.bytes_in counter has been added. Real-time counters can be disabled using the global.cfg tunable 'tuning!counters_enabled no'. The default behaviour is for the counters to be always enabled. * Bandwidth Throttling It is now possible to throttle bandwidth to each user that has been authenticated, or to each IP address. Bandwidth accounting information is shared across multiple servers in a cluster. This functionality is not enabled by default, but can be enabled with a license key change. Contact for more information. * Gateway Cookies sent through the Gateway functionality can now have their domain portion rewritten on the fly. * Performance Enhancements The kqueue()/kevent() model is now supported on FreeBSD. To enable this, set "tuning!use_kevent yes" in $ZEUSHOME/web/global.cfg. New tuneable tuning!max_connections specifies the maximum number of connections the web server will process concurrently. Further connections are not accepted until existing connections complete. This can be used to control the amount of work the Zeus Web Server accepts in order to avoid running out of file descriptors, and to limit the number of concurrent connections to slow downstream applications. If the web server fails to connect to an external application or runner process, it will wait for a short time and try again rather than immediately returning a "502 Bad Gateway" error. SSL performance has been improved on all platforms. * Clustering The deployment of web server configurations to large clusters of backends has been made significantly faster. * SSI Any output sent to the client via the 'echo' tag is now encoded suitable for inserting into HTML, this can be changed by using 'encoding="none"' or 'encoding="url"' in the echo tag before the var=".." attribute. Parsing of SSI attributes has been improved. It is now possible to embed '"' chars in the 'set' tag by prefixing the quote with a backslash e.g. * Third-party products Installation and configuration of PHP has been made simpler. Using the Zeus-supplied PHP binary (http://support.zeus.com/products/v4/php.html), PHP support can be enabled or disabled with a single setting in the UI. Behaviour Changes since 4.1 --------------------------- * The keysize accepted in SSL Client Certificates can be specified using two new tunables: security!maxkeysize and security!minkeysize. The maximum keysize allowed is now 2048 bits. * Multiple secure virtual servers can be run on the same IP address and port if they share the same SSL certificate (useful for wildcarded certs). * The diagnosis page or webctl --sync can be used to ensure that deleted virtual servers are removed from all back-end webservers. * fpinst.sh (FrontPage provisioning script) works with document roots that are symbolic links. * NSAPI on AIX now uses a different method for loading shared libraries. This improves compatibility with Websphere on this platform. * NSAPI applications can now modify the request URI; this is required for JRun support. * Fixed the NSAPI runner to correctly reload a virtual server's configuration if the process restarts. * ISAPI path buffer size has been increased from 256 to 1024 bytes. * Access log filenames now accept a %v substitution which is expanded into the virtual server name. * Added workaround for bug in Internet Explorer's handling of compressed content and handle HEAD requests correctly for dynamic content. Fix a problem where the gzip cache could occasionally get out of sync with the docroot, and continue serving old data. * Further improved the performance of the Admin Server when hosting very large numbers of virtual servers. * Added workaround to prevent Tomcat 3.3 hanging if no Content-Length header is supplied. * Added workarounds for Jetty to cope with body chunks being either null- or non-null-terminated, and handle Content-Type if it's sent in non-numerically-encoded form. * stdout and stderr now remain connected when running a FastCGI script, so data written to stderr gets back to the web server error log. * SNMP now works on clustered web servers without the admin package being installed. * New commands 'enablesnmp' and 'disablesnmp' toggle whether SNMP is enabled or not for an existing installation. * Fixed zinstall so it understands SuSE's init.d layout, and HP-UX's naming convention for boot scripts. * Admin server password is now no longer visible in 'ps' output when performing a new installation. * Virtual Server configuration file permissions are now preserved when upgrading. * Fixed a bug in the handling of large amounts of response data when using the AJPv13 Java servlet protocol. * Fixed the Gateway functionality to understand "100 Continue" responses. * The Web Server now accepts authentication requests from Windows Media Player. * Fixed issues with SNMP whereby the Web Server statistics could stop incrementing if they were not regularly monitored. Also, many counters have been altered to hold 64-bit values, to prevent wrap-around of counter values. * The Diagnosis page can optionally check that Microsoft FrontPage is deployed correctly on each server. This check is no longer done automatically by the Administration Server; this greatly improves the responsiveness of the user interface. * The Diagnosis page can optionally check that SSL Certificates are correctly deployed to each server. * The layout of ZEUSHOME/webadmin/conf/virtual_servers/sites-md5/ and /committedsites-md5/ has changed. When altering Virtual Server configuration files outside of the Admin Server, you should run "webadmin/bin/updatemd5 -a" afterwards to update the information in these directories. * Directory aliases ending in a slash will now cause requests without the trailing slash to generate a redirect, as happens for ordinary directories. For example, if there is an alias for '/mail/', a request for '/mail' will produce a response redirecting the browser to '/mail/'. * Connections are no longer accepted while the web server is starting. This avoids connections being served by the incorrect server. This behaviour can be turned off by setting 'tuning!delay_accept_on_start' to No. * The splash screen has been fixed to use the default colourmap. * A new tunable sets the maximum length of filenames in a directory listing (tuning!dirlist!filename_length, default 30 chars) * A new tunable sets the SSL buffer size (tuning!ssl_cbuff_size) * SSI variables DOCUMENT_URI and DOCUMENT_NAME now correctly refer to the page originally requested. * Improved chunked transfer support with WebLogic. * Added logging to syslog via a new tunable (tuning!syslog!enabled) * Added -vv option to zeus.web to output compiler and other details * On installing the SNMP package, the installer will now ask for a community string, to protect SNMP data from being read by unauthorized users. The community string can be modified in existing SNMP packages by adding the following configuration lines to $ZEUSHOME/snmp/etc/snmpd.conf and restarting the software. Replace the 'communitystring' with your chosen text. rocommunity communitystring rwcommunity communitystring * A command line program to convert Apache mod_rewrite rules into a Zeus Request Rewrite script has been added (web/bin/convert_rewrite and webadmin/bin/convert_rewrite). The converter (both UI and command line) can now convert more mod_rewrite rules. * The Traffic History graphs now have the option of displaying data on the last 30 days of traffic history. Correspondingly, the default number of days that Zeus will keep traffic statistics for has also been raised from 7 to 30 days. (tuning!modules!stats!days_to_archive) Zeus 4.1 -> 28th February 2002 ============================== Platform Alterations since 4.0 ------------------------------ * Added OpenBSD 2.9 version * Added AIX5 (FRCA support) version * Added support for AEP's SSL accelerator (www.aep.ie) Major Alterations since 4.0 --------------------------- * Service Protection Policy The Service Protection Policy provides a range of ways to deploy site-wide measures to protect your webservers, web applications and back end infrastructure from a range of denial of service attacks. - Connection counting and limiting protects attempts to overload the webserver or web application with excessive HTTP requests; - Request filtering protects against known HTTP-based attacks; - Request checking protects against malformed HTTP requests. * SNMP support SNMP support exposes the real-time monitoring variables to SNMP clients, allowing remote monitoring of your webservers by SNMP. The Zeus SNMP support is based on net-snmp 4.2.3, which is not vulnerable to the recent CERT Advisory CA-2002-03. * Content Compression Zeus Web Server 4.1 will automatically compress the information it returns to a web browser if the web browser is capable of understanding this. Compressed content is retained by the web server where possible, to reduce the overhead of performing the compression. The feature allows for faster downloads and less bandwidth usage. * Extended Client Certificate support The user interface to manage client certificate policies has been extended, and fully integrated support for Certificate Revokation Lists has been added. * Easier Product Licensing The Zeus Administration Server can acquire, install and manage the license keys on each of the managed web servers. To aid automated deployment, the Zeus Web Server can be installed and started without a license key, but it cannot start any websites until it is correctly licensed. * New 'external runner' architecture A new architecture for the external application runners greatly improves the performance and robustness of NSAPI and out-of-process ISAPI applications hosted by the Zeus Web Server. * User Authentication The Zeus Web Server can perform user and group authentication by means of an operating system lookup. This method is an alternative to using either the internal database, or an external LDAP server. * WebDAV support FastCGI aliases now support WebDAV methods, allowing easier configuration of DAV-aware FastCGI applications like Zope. * Request Rewriting Request Rewrite scripts can now return HTTP responses, by assigning to the rewrite variables 'RESPONSE' and 'BODY'. Request Rewriting can optionally modify the original URL, as well as any application variables derived from it. This is required to support some third party applications. * SSI improvements SSI flow control commands are now supported - "#if', '#else', '#elif' and '#endif'. The expressions used are compatible with Apache's SSI flow control support, and if tuning!ssi!apachebugcompat is set to Yes, then even Apache's bugs are reproduced. The SSI 'set' command has been updated so that nested variables are expanded correctly. * FastCGI Authorizer support The Zeus Web Server can cache responses from FastCGI authorizers to improve the response time of the web server. This reduces the load on FastCGI authorizers that perform complex authentication calculations, for example, querying an LDAP server or other database. The caching will speed up response times. * HTAccess improvements Zeus Web Server now supports the RedirectPermanent and RedirectTemp directives in .htaccess files. Numeric status codes can be used with the Redirect directive. Zeus Web Server supports the Satisfy directive to allow easier configuration of sophisticated access control rules using HTAccess. * User Tracking The cookie used in the user tracking feature can now be shared across multiple web sites by specifying a domain of validity. * Log module The new custom log format option '%w' is bytes written, not including HTTP headers. * Administration Server The performance of the administration server has been improved. It is now possible to bind the Zeus Administration server to specific ip addresses. Set "tuning!admin!bind_any no" in the admin/global.cfg file, and list the desired IP addresses in the bindaddr field of the admin/website file. * ISAPI Zeus Web Server now supports the ISAPI TerminateFilter() function. * Stability A range of improvements have been made to improve the stability of the Zeus Web Server against various invalid HTTP and HTTPS requests. Behaviour Changes since 4.0 --------------------------- * zeus.statd now runs as the webserver user, not as root. Files created in $ZEUSHOME/web/log/statd are owned by this user. * NSAPI applications are now run as the webserver user and group by default, not as root. The desired user and group can be configured using the Administration server. * The default configuration for new virtual servers has been changed so that Home Directory mappings ("~user") are disabled by default. * SSL keep alives have been enabled by default to greatly improve the performance of SSL web sites. * The 64bit HP-UX package now includes both the 32bit and 64bit NSAPI runners. zeus.nsapi is a symbolic link to zeus.nsapi32 by default, since most HP-UX NSAPI applications are 32bit shared objects. * Variable names in the request rewriter's SCRATCH: namespace are now case-insensitive. * The Admin Server configuration file ($ZEUSHOME/admin/website) is no longer world-readable. * The Real-Time Monitoring counters (zwsstat) for HTTP responses have been moved from error_handling.http_errors.* to http.response.status.*. * The ability to configure a CGI chroot jail that does not contain the CGI script using htaccess has been removed. This behaviour can be reinstated by adding the tunable "tuning!modules!cgi!strict_jail no" to your webserver global.cfg file. * The Gateway module now interacts with the Rewrite module. This means that if both are enabled, then rewriting takes place before forwarding the request. This allows mapping content to a different URL space on the origin server. * Fixed bug where wrong client IP address may be logged when using the Zeus Load Balancer with an SSL web site. * The Zeus Web Server core now correctly handles all daylight saving (time) changes Advance notice of obsoleted platforms ------------------------------------- Zeus Web Server version 4.1 will be the last Zeus Web Server release that supports the following platforms: - Linux glibc2.0 Intel - FreeBSD 3 - BSDi Zeus 4.0 -> 23rd October 2001 ============================= Zeus 4.0 is a major release of Zeus Web Server with major new functionality and new User Interface that provides enhanced ease-of-use and internationalization capabilities. Zeus 4.0 is supplied with a new User Manual providing comprehensive documentation on how to use the web server. Major Alterations since 3.4 --------------------------- The following main systems have changed with Zeus 4.0 and may require some reintegration effort. For more information please contact support@zeus.com * The license key format has changed - license keys are now files. License keys for Zeus 3.X will not work with Zeus 4.X. * The communication protocol used between the Admin Server and the web server has been replaced by a more scalable and secure protocol. The new Admin Server does not support 3.X web servers. This means that it is not possible to run Zeus 4.0 on part of a cluster - the whole cluster must be upgraded. * Admin Server URLs have changed - bookmarks will need to be updated and programs written to GET or POST to the Admin Server will need to be rewritten. * The Admin Server stores Virtual Server configuration files in a different directory structure. Programs that manipulate these files directly will need to be altered, and should use the new Perl modules. A separate commit stage has been added between editing and synchronizing the configurations with the back-ends Behavior Changes since 3.4 --------------------------- * modules!map!homedir!dir - If the key is present in the Virtual Server configuration file with no value then Zeus 4.X will interpret that as a null prefix. In this situation, Zeus 3.X would have reverted to the default value of /public_html. If the key is not present, Zeus 4.X will default to /public_html. * dnslookup - Is now respected on a per-Virtual Server basis. Previously, switching on dnslookup would automatically turn it on for all Virtual Servers bound to the same IP address and port. * The meaning of CERT_KEYSIZE and CERT_SECRET_KEYSIZE has been changed for ISAPI. See Certificate Variables (under Content Generation, below) for more information. Platform Alterations since 3.4 ------------------------------ * Added Solaris8/Sparc NCA version * Added HPUX/IA64 version Program Alterations since 3.4 ----------------------------- * Documentation - Zeus 4.0 is supplied with a User Guide in PDF format. Context sensitive help links in the Admin Server jump to appropriate page - note: this feature requires Adobe Acrobat Reader 4.0 onwards. References to 'Sections' in these release notes refer to portions of this document. - Getting Started Guide has been updated to incorporate new user interface and new functionality. - man pages for HttpExtensionProc(3), ServerSupportFunction(3), isapi(7) have been amended. * Content Negotiation Content negotiation makes multi-language websites easier for the user to navigate. The user only needs to specify their preferred language once (within their browser), and content negotiation makes sure that they receive pages in their preferred language, whenever they exist. Content negotiation is normally used on multi-language websites, but can also be used whenever web content is available in more than one format, such as different character set encodings. To configure Content Negotiation, click "Content Negotiation" on the Virtual Server configuration pages. For more information see Section 7.3: Configuring Content Negotiation Features include: - Understands browser-supplied q values - Default content provides fallback content if no clear match - Returns 406 response code if it is not possible to match browser request - error page contains links to possible matches for user selection of most appropriate content * Request Rewriting The request rewriting functionality can be used to change a requested URL into any other URL by running a script of rewrite commands to pre-process every request. It is typically used to prevent "broken links" when a URL on a website becomes obsolete or to store session information in URLs To configure Request Rewriting, click "Request Rewriting" on the Virtual Server configuration pages. For more information see Section 8.7: Configuring Request Rewrite Scripts. Features: - User Interface contains tool for verifying syntax - Tool provided for converting Apache mod_rewrite scripts into Zeus format * Real-Time Monitoring Real-time monitoring enables monitoring the activity of any of the machines in a cluster. This can be helpful on both development and production systems in the following ways: - It can be used to determine the effect of using different setups when performing load tests or scalability tests on development systems. - It can be used to analyze why a production website is running sluggishly by looking at the system load and determining where the bottleneck on the machine’s performance is occurring. To view Real-Time statistics, click "Real-Time Monitoring" on the Web Controller menu page. For more information see Section 4.10: Real Time Monitoring. Features: - Real-Time monitoring displays live graphs illustrating values of specified key server counters and statistics. - zwsstat (in $ZEUSHOME/webadmin/bin) provides command line access to the same data. * License keys The license key has been extended and is now stored in a file. 3.X license keys will not work with 4.X. * User Interface The Admin Server user interface has been rewritten and reorganized for improved ease-of-use. The main features are as follows: - Groups - Virtual Servers can now be organized in groups (which can be nested). - Multiple Virtual Server selection - it is now possible to select multiple servers at a time and apply a set of changes uniformly across the set. The user interface makes it easy to apply a value consistently across all the selected Virtual Servers. - Internationalization - the Admin Server is now fully internationalized. Zeus 4.0 is supplied with en-us and en-gb language packs. Additional packs will be released as they become available. - The use of a more consistent page layout minimizes learning time. - Similar configuration screens are grouped together in a menu that allows rapid access to main screens. - User interface validation checking and error reporting has been improved. - The auto-fix feature enables you to resolve common Virtual Server deployment problems easily. - Configuration for path mappings and handlers has been simplified. - New %machine% variable can be used in the Bind Address field; this should remove most need for back-end configuration rewrite scripts. - When sites are synchronised, certificates are distributed to back-end machines. - The order in which access rules are display has been reversed. They are now ordered in the way that web server processes them. - Configuration of FastCGI responders has been simplified into a two step process (add Remote Responder, add Handler). * Security The following items enhance the ability of the Zeus Web Server to prevent attacks on websites: - Request headers parsed as received and connection aborted if malformed headers are detected. - Non-SSL connections to SSL sockets are dropped immediately (previous action resulted in client timeout). - SSL logging option provides verbose output on SSL transactions security!log_ssl. * Performance Enhancements - /dev/poll support added for Linux (requires /dev/poll patches) and Solaris 8 onwards. /dev/poll improves performance when a web server is working with a large number of long-lived connections. - FastCGI and Gateway can now use keep-alives connections. Keep-alive connections allow the web server to reuse a connection to the application or web server thereby avoiding the penalty of TCP/IP connection setup. * Publishing Updated the bundled 'fpinst.sh' script. - fpinst.sh can now manage FrontPage 5.0 (FrontPage 2002) server extensions. - --fix-password command line flag has been removed as it no longer necessary. * Content Generation ISAPI - The out-of-process ISAPI mode can now support the ISAPI return code 'HSE_STATUS_PENDING'. - ISAPI - client headers may be added using ServerSupportFunction. - The in-process ISAPI mode can now support the HSE_REQ_MAP_URL_TO_PATH Server Support Function. FastCGI - FastCGI errors reformatted - now prefixed with file name. - fcgirunner now takes extra (optional) arguments to specify user and group, bind address and file to store pid. - the working directory for a FastCGI application is now the directory that the application is in. Certificate Variables - The meaning of CERT_KEYSIZE and CERT_SECRET_KEYSIZE has been changed for ISAPI. Two new variables HTTPS_KEYSIZE and HTTPS_SECRETKEYSIZE have been added for CGI, FastCGI and ISAPI. CERT_KEYSIZE = CERT_SECRET_KEYSIZE = number of bits in the servers private key HTTPS_KEYSIZE = the size of the session key e.g 128 HTTPS_SECRETKEYSIZE = the effective size of the session key e.g. 40 Gateway - Now supports HTTP/1.0 keep-alive connections to back-end server. Keep-alive connections allow the web server to reuse a connection to the application or web server thereby avoiding the penalty of TCP/IP connection setup. - When comparing the request against the gateway rules, the web server will now select the rule with the longest match. CGI Runner - Added tunable to allow multiple zeus.cgi CGI runner processes. By default, the Zeus Web Server runs a single zeus.cgi process to manage CGI applications. A multiprocessor machine running a large number of CGI scripts may benefit from multiple CGI runners; the number can be configured using the $ZEUSHOME/web/global.cfg tunable 'tuning!num_cgid'. - SERVER_NAME environment variable now correctly reports the host header of Subservers rather than the DNS name of the Virtual Server Jserv - Zeus 4.0 supports ajpv13. ajpv13 brings a number of improvements over ajpv12 as follows: - use of keep-alive connections which will improve performance - certificate information is now passed to the servlet engine. - Jserv is no longer supported via the ZDAC (Distributed) interface but should be run using the Java servlet functionality instead. * Spelling - Spelling correction is now disabled in the skeleton Virtual Server. * Access - Realms can now be configured on the "Restricting Access" configuration page. When specifying an access rule, it is now also possible to configure the realm for each rule. The realm is the text displayed in a browser's authentication dialog box. * Installation zinstall has been rewritten in Perl - Clustered installation has been changed so that back-end web servers register themselves with the Admin Server, and so no longer need a cluster password or commkey. - zinstall has new command line parameters, run zinstall --help for more information. * Command Line Tools - httpclient '-header' option adds headers to request - zwsstat added (see Real-Time Monitoring) - --commit action added to webctl - should be used to commit configuration file edits ready for synchronization (--sync) - start-zeus, stop-zeus, restart-zeus now return 0 on success, 1 on failure - fpinst.sh - can now be run on back-ends as well as the Admin Server * Miscellaneous Case-sensitivity - tunable added to disable case-sensitivity for access rules and mappings ( required for MacOSX) HTTP Methods - Handlers can now be defined for new HTTP methods Large post requests - If the body of a request exceeds tuning!limit_requestbody then the web server will return a 413 Request Entity Too Large error (previously it returned 400 Bad Request). Bi-directional content streaming - Web server kernel has been optimized for symmetrical content streaming - web server streams requests as they arrive to applications, improving throughput and reducing web server footprint. Directory requests - Index module now only attempts to serve up regular files; e.g. if you have a directory named 'index.html', that will be ignored. htaccess - authorization groups files can now be comma-separated as well as space-separated. * Bugs fixed: - sendfile on Solaris now correctly handles all byte-ranges - zinstall copes better with non-standard tar on MacOSX 10 - Dynamic Virtual Server improvements, including better subserver-like behavior - Home directory mapping can now handle single-character username maps - Fixed fatal error on Solaris when OS configuration specified an LDAP source for some name service lookups (nsswitch.conf) - Two minor corrections have been made to the on-line documentation in the toptail and the usertrack modules. - A resource leak in the second-level SSL cache has been fixed. - A problem with file permission execute bits and a problem with absolute filenames relating to the SSI "exec cmd=" tag have been fixed. - The zinstall installation script is now fully aware of Zeus Mass Hosting Edition. - Alteration of chroot settings via the Chroot and ChrootDir HTAccess directives have been disallowed from local .htaccess files. They can now only be used in the global HTAccess file. - Improved support for systems with no DNS configured. - Improved reporting of invalid license keys. Tunable Alterations since 3.4 ----------------------------- The following tunables have been added in Zeus 4.0 - modules!map!methodtype - used to enable support for new (DAV) methods - modules!negotiate!* - see Content Negotiation - modules!rewrite!* - see Request Rewriting - security!log_ssl - enable verbose logging of SSL connections - tuning!case_sensitive - enabled by default on all platforms except MacOSX. When disabled, access rules and URL mappings become case insensitive (this is required because of MacOSX case insensitive filing system) - tuning!configfile_perms - each web server writes a local copy of the website configuration files to $ZEUSHOME/web/runningsites. The default behavior has changed. These configuration files are now only readable by their owner (i.e., they have file permissions 600). The $ZEUSHOME/web/global.cfg tunable 'tuning!configfile_perms' can be used to specify alternative permissions. Example: tuning!configfile_perms 444 - tuning!accelerator!nca!enabled - replaces tuning!use_nca The following tunables have been removed in Zeus 4.0 - modules!distributed!servlet!*, modules!distributed!timeout - ZDAC Jserv support is deprecated - tuning!use_nca - replaced with tuning!accelerator!nca!enabled Zeus 3.4 -> 22nd May 2001 ========================== Zeus 3.4 is a major upgrade release from Zeus 3.3.8. It includes two new modules, extensive improvements to the CGI, Subserver and content handler support, and several platform updates. Documentation is provided for the command-line scripts, and SSL performance has been improved. Platform alterations -------------------- * FreeBSD4 version now requires FreeBSD4.2 or above * OpenBSD version now requires OpenBSD2.8 or above * AIX version now requires AIX 4.3 or above * MacOSX version now requires MacOSX 10.0.0 or above * Added BSDi version * Added Linux PPC (PowerPC) version Program alterations since 3.3.8: -------------------------------- * New Modules Two new modules are present in Zeus 3.4. The configuration pages for these modules can be found on the modules list of the Zeus Administration Server. - The 'Gateway' module provides (non-caching) proxying of HTTP requests. It can be used to forward certain sets of requests (defined by a URL or regular expression match) to another HTTP server. This allows a Zeus webserver to obtain content transparently from another webserver when, for example, migrating content between servers. - The 'Toptail' module can be used to add a header and a footer to documents in your website. The module is configured using htaccess files, so different headers and footers can be easily specified for different parts of your website. This module allows the administrator to enforce a common header or footer on parts of the website. * CGI changes The CGI handling has been updated as follows: - The administrator can limit the number of concurrent CGI scripts that can be executed at the same time. This limit can be applied per machine, per Virtual Server or per Subserver. The limit is configured by the settings for "Concurrent CGI script Execution". These settings can be found in the CGI module page. The limit ensures that no single website can overwhelm the webserver machine by running a large number of CGI scripts concurrently. - CGI programs can now return an HTTP status code to the Zeus Web Server via the "X-Generate-Error:" header. If a CGI script provides an "X-Generate-Error:" header, the web server then returns the standard error page for the status code to the user instead of the content generated by the CGI script. For example, if a CGI script returns the header "X-Generate-Error: 404", the webserver returns the normal '404 Not Found' error page. If a custom error page is defined, this is used. - If a CGI script returns no data, Zeus returns a "500 Server Error" error page. Previously, Zeus returned no content, and the user received a 'Document contains no data' dialog box. - The htaccess configuration for CGI sandboxing has been extended. The following sandbox parameters can be specified in a global.htaccess file: * RLimitCPU (Max CPU time (seconds)) * RLimitMEM (Max memory (bytes)) * RLimitNPROC (Max child processes) * RLimitDATA (Max data size (bytes)) * RLimitTIME (Max wall clock time (seconds)) * CGIPriority (CGI process priority) * CGIUID (CGI user id) * CGIGID (CGI group id) These sandbox parameters can also be specified for an individual Virtual Server in the 'CGI Sandboxing' section of the CGI configuration page. * Subserver changes The Subserver support has been updated as follows: - Subservers can now support wildcarded directories. For example, the wildcard directory '*.reseller.com' provides a document root for any hostname ending '.reseller.com' which does not have its own docroot. This feature is enabled by enabling the 'Host header prefix wildcarding' setting in the Subserver module. It can be used to create 'default' web sites for certain domains. - The CGI error logs for a individual subserver sites can be written into the document root of the subserver site. This allows the error logs to be distributed to each subserver, rather than being placed in one shared file. To enable and configure this feature, turn on 'site specific error logging' in the 'CGI Error Logging' section of the CGI configuration. - The location of the shared library used by the 'custom' subserver map can be changed. * Content Mapping changes The Content handler support has been updated as follows: - The web server can now optionally check that a file or script exists before invoking a content handler. If the file does not exist, the web server returns a standard 404 error. This is useful when content handlers (such as PHP) do not gracefully handle this error. The feature is enabled by setting the '404 - Zeus takes over' setting in the 'Handlers' section of the map module. - Custom content handlers can be configured for new or existing SSI (server side include) tags. This allows the administrator to provide custom SSI tags, or to override the behaviour of existing tags. Custom handlers are defined in the 'SSI handlers' section of the map module. The home directory mapping has been extended as follows: - Prefixes for home directory URLs are now configurable. It is now possible to use prefixes other than '~' to indicate that the document root for a URI request should be calculated from a home directory lookup. For example, Zeus can now be configured to map the request http://hosting.com/users/fred/ onto the home directory for the user 'fred'. The custom prefix is configured by the 'Home Directory Prefix' setting in the map module. * Documentation additions - Manual pages have been added for: cert(8) webctl(8) httpclient(1) htpasswd(1) fcgirunner(1) isapisnoop(1) sites(5) runningsites(5) apache2zeus(8) netscape2zeus(8) Append the output of $ZEUSHOME/product/bin/manpath to your $MANPATH to use these man pages. * Security improvements Several modifications have been made to improve the security of the web server: - The zeus.web process no longer inherits adminserver environment variables on startup. - Removed the use of /tmp directory for temporary files, to avoid potential race exploits. * GUI changes The web based GUI has been improved as follows: - Access rules: These can now be edited more easily; access rules can be disabled without deleting them; access rules can specify a list of HTTP methods to act against. - Integrated VeriSign digital certificate purchasing; it is now possible to purchase and install a VeriSign digital certificate directly from inside the GUI. This is available from the SSL Configuration page. * SSL changes SSL performance has been improved on many platforms, and additional information is exported through the APIs that Zeus supports. - SSL handshake performance improved by using a faster implementation of the RSA decrypt code. For example, handshake performance has been doubled on HPUX 64bit platforms. - Added the following variables to the CGI environment: * HTTPS * HTTPS_KEYSIZE * HTTPS_SECRETKEYSIZE * S_HTTPS_SESSIONID - Added the following variables to the NSAPI sn->client pblock: * "ssl-id" * "keysize" * "secret-keysize" * "cipher" - Added the following variables to the ISAPI environment: * HTTPS_KEYSIZE * HTTPS_SECRETKEYSIZE Please read the documentation for each API for further information. - Improved the scalability of second-level SSL session id caching for SMP machines. - The 'cert' program can now specify the number of days that a certificate is valid for. * Miscellaneous changes - Added new 'apache2zeus' conversion script to assist in the migration of apache configuration files to Zeus. See the "Apache Migration" chapter in the "Advanced Configuration" section of the documentation for more details. - The addserver.sh script which creates a new Virtual Server can now be used to clone an existing Virtual Server configuration file, using the '--clone' flag. - New $ZEUSHOME/restart-zeus script added. This script stops and starts the Zeus Web Server and Administration Server. - zeus.web returns the pc (program counter) in the event of a crash. - Support on Solaris for Sun's NCA (Network Cache Accelerator). Solaris 8 Update 5 required. - Removed old 'regcmd' and 'monitor' binaries. 'regcmd' is obselete, and 'httpclient' performs similarly to 'monitor'. Zeus 3.3.8 -> 18th January 2001 =============================== Note that the UK office of Zeus Technology has now moved. Our new address: Zeus Technology Limited. Zeus House Cowley Road Cambridge England CB4 0ZT Telephone details remain the same: Telephone: +44 1223 525000 Fax: +44 1223 525100 Platform alterations -------------------- * Added Linux IA-64 build * Added Linux PPC build * Added HP-UX 11 64bit build * Removed HP-UX 10.20 build Program alterations since 3.3.7: -------------------------------- * Multi-lingual Domain Name support: - support for Verisign and participating registrars multi-lingual domain name testbed via RACE encoded Virtual Server names. (See http://www.verisign-grs.com/multilingual/multilingual.html for more details) * CGI: - New runner program increases CGI execution performance. This uses a new 'zeus.cgi' process which is automatically started when CGI usage is enabled in the configuration of a Virtual Server. The runner is a big win on systems that heavily cache pages and have high traffic levels. - CGI sandboxing now reports the details of CGI processes after they exceed sandbox limits, which includes details of CPU and memory usage. - CGI sandboxing can now specify the maximum elapsed time a CGI program can run for. After this time it will be stopped, first with a SIGTERM, and then every second after that with a SIGKILL. - Chroot jails can now contain regular expressions. For instance, if you have a chrootdir which begins ~ then it is interpreted as a regex, starting at the start of the string. e.g. ~/home/[^/]+/ would match any home directory as a chrootdir. - Improved documentation on permissions with subservers. * Logging: - Logging of individual SSI subrequests can now be disabled. For web sites which are performing large numbers of SSI includes for each page request, this is a big win. SSI subrequest logging defaults to being switched on. - Bugfix: fixed infrequent, spurious zeus.statd crashes, and corrected sorting of sites with low levels of traffic. * FrontPage: - Multiple chroot'ed installations now supported. * ISAPI: - Connection handling and scalability improved. - Performance improvements. - Implementation specification upgraded to version 4.0, as implemented by IIS 4.0. Implementation is now much tighter to Microsoft's specification. - Extensive documentation added describing the API and Zeus API extensions, see Documentation section for details. - Improved reporting of failures to load inprocess ISAPI extensions. - Improved diagnostics when the ISAPI runner is under heavy load. - Now reports more error conditions which are useful when debugging ISAPI filters/extensions. - New tuneable for out-of-process ISAPI to set the pthread stack size in global.cfg: tuning!modules!isapi!external!stacksize - New tuneable for out-of-process ISAPI to have the ISAPI runner periodically restart itself; useful for buggy ISAPI extensions which leak memory. In global.cfg: tuning!modules!isapi!external!restartmaxconnections - Bugfix: Runner now reports errors in the correct timezone. - Bugfix: pFilterContext now works as advertised for in-process filters. * PHP: - Performance greatly improved, both in persistent ISAPI mode, and CGI mode. - Many improvements and bug fixes have been made running PHP in ISAPI mode. Zeus have submitted code to the PHP team to improve their ISAPI implementation. We recommend users upgrade to at least version 4.0.5. * NSAPI: - Connection handling and scalability improved. - Performance improvements. - More compatibility improvements against iPlanet's NSAPI implementation and third party products. - Bugfix: Runner now reports errors in the correct timezone. * FastCGI: - Bugfix: SCRIPT_NAME environment variable no longer contains PATH_INFO. * Admin Server User Interface: - Added certificate inspection page for installed X509 certificates. - UI will now offer to change port to 443 when enabling SSL. - Added ability to compare configurations of two Virtual Servers. - Added ability to rename a Virtual Server. - Added document root to configuration summary page. - Added 'Restart Virtual Server' buttons. - Added 'Commit Changes' button to Virtual Server differences report page. - Bugfix: fixed spurious failures with POSTs from Internet Explorer. - Miscellaneous UI improvements and bug fixes. * Installation: - Machine bootup scripts now support multiple Zeus product installations on a single machine. - For product upgrades, statd usage information is now also migrated, via hard links. - Additional checks made when installing that the platform details match the package being installed and that the appropriate minimum OS version is present. This can be overridden with --anyarch flag to zinstall. - Clustered installations now request 'cluster passwords' on installation rather than requiring commkeys to be copied around. - For existing commkey files, we no longer require that they are not newline-terminated. - Downgrading components to a previous version now requires the --force-downgrade option. --force continues to be used to force the reinstallation of an identical version. - Bugfix: installation control port now correctly written to config file. * Performance: - Improved byte-range support; now works on large non-cached files, which is especially useful when serving big PDF files to AcroRead. - Added sendfile() support, which increases the performance of serving static files on: * AIX * Linux (kernel support in v2.2.x or above is needed to enable) * FreeBSD - Added support for poll() under FreeBSD, improving performance for larger sites. - Added workaround for occasional Linux performance problem with writev()s. - Further SSL optimizations for Athlon CPUs. - Bugfix: SSL session id caching fixed. * Documentation: - Manual pages can now be found in $ZEUSHOME//man and under 'Advanced configuration' in the online HTML help in the Admin Server. $ZEUSHOME//bin/manpath will return a MANPATH containing all installed Zeus products in $ZEUSHOME. - Added manual pages for blf2clf, ZConf.pm, and the ISAPI interface. More man pages coming, we intend to provide man pages for every file and API provided by the web server. - Many improvements to online help documents. - Complete list of configuration tunables added to online help documents (Web Server -> Advanced configuration -> Configuration settings). * HTAccess Support - ErrorDocument directive pages now return the correct status for locally-returned (i.e. relative URLs beginning with /) pages rather than always 302. - %docroot% will now be expanded anywhere in an HTAccess directive to the document root of the Virtual Server. - Added ChRoot and ChRootDir directives to the global htaccess file which allow the specification of a chroot directory. - Errors in .htaccess files are no longer displayed as HTML to the user by default. Set tuning!modules!htaccess!display_errors to yes if the old behaviour is required. - Bugfix: changing the name of the .htaccess file now actually works. - Please note that .htaccess files are searched for from '/' down, not just %docroot% down. * Miscellaneous: - SSI tags no longer require the tag values to get enclosed in quotes (""). For example, is now valid. This makes migration from Netscape/iPlanet servers easier which allowed this form of construct. - PATH_INFO data encoded into URLs which are processed by map module handlers are now preserved upon passing to the handler. - Added ability to allow pages which have a missing referrer header to the referrer module configuration. - Added support for log files larger than 2GB for Solaris and HP-UX. - The Query support form in the Administration Server has been much enhanced. The new form makes it easier to send the Zeus support team the information they need to more quickly resolve support messages (NOTE: information sent is displayed in a preview before sending to Zeus). - Added -d option for blf2clf to disable DNS lookups whilst decoding logs. - Added $ZEUSHOME/admin/bin/reset_password script to reset the Admin Server password. - Added timeout option to admin/bin/httpclient. Use -timeout to specify a response timeout. Zeus 3.3.7 -> 6th August 2000 ============================ Platform alterations -------------------- * Added HPUX-11 64bit PA 2.0 build * Added OpenBSD port * IA-64 compatibility (emulator) Program alterations since 3.3.6: -------------------------------- * Added new referrer module. This denies access to chosen files based on a browser's Referer: header, and prevents other people linking to content directly on your site (otherwise known as 'bandwidth stealing'). * Added new usertrack module. It generates random cookie identifiers, for tracking user usage with log analyzers. * Added new one-page configuration summary report. * Added new modified difference from previous configuration report with revert changes option. * Added asynchronous support for hardware crypto accelerators (nCipher, Rainbow) * WAP support: Zeus now provides WAP support 'out-of-the-box', by adding the mimetypes required for WAP content types. * URL rewriting ISAPI examples documentation added. URL rewriting allows you to 'rewrite' incoming URLs 'on-the-fly', providing great power and flexibility for the advanced webmaster. For example, this allows the webmaster to delegate the entire '/' URL namespace to a Java servlet or FastCGI application. * More configurable logging; expandable tags in filename for expansion into hostname, pid, child (%h, %c, %p). This makes logging in webserver farms much easier. * Cached log files are now flushed on Virtual Server shutdown. This fixes problems with open files on Network Appliance servers preventing their unmounting after Virtual Server removal. * Binary logging format added. Binary logging stores the same information as standard CLF logging, but in a more efficient manner. Binary logs are generally 4x smaller than CLF logs, which will be of interest to webmasters running high-volume sites. * Logging buffer cache optimizations on HP-UX using OnlineJFS filesystems. * Improved CGI performance. 'NPH' CGIs (no-parsed headers), now take a fast-path through the webserver where possible, by sending CGI output directly to the client instead of streaming it back through the webserver. NPH CGIs are standard CGIs that return a complete HTTP response, including the initial 'HTTP/1.1 header'. CGIs with a filename beginning 'nph-' are considered NPH CGIs. For heavily hit CGIs, we recommend using 'nph-'. * ISAPI API performance extensions, HSE_REQ_TRANSMIT_FILEV and HSE_REQ_TIMEPTR added. * DNS lookups are now disabled by default for new sites. * Apache htaccess compatibility increased. * Advanced cache status documentation and display added. This information can be extremely useful in tuning the webserver for the highest performance in your environment. Adminserver display from 'web -> clustering -> machine -> advanced status', and commandline interface from $ZEUSHOME/webadmin/bin/cacheinfo'. * Improved warnings about misconfigured items (e.g. non-existent docroot) on program startup, and enhanced input validation from adminserver forms. * Virtual Servers can now have a comment associated with them describing their purpose. This comment is displayed on the 'traffic light page'. * LDAP passwords are stored encrypted in server configuration files. * Now recognize text/x-server-parsed-html; charset=XXX for Server Side Includes. * zinstall will offer to add Zeus to your machine bootup scripts. * new command line tools: $ZEUSHOME/web/bin/listsites lists all sites to stdout; $ZEUSHOME/webadmin/bin/cacheinfo displays advanced cache status information; $ZEUSHOME/webadmin/bin/zeuslint checks validity of config files. * Further NSAPI enhancements to support third-party applications that use undocumented interfaces to NES. * On Compaq Tru64 UNIX, the webserver can now be configured to run with support for upto 64K file descriptors, instead of the default of 4096. Add the line 'tuning!maxfds 65536' to $ZEUSHOME/web/global.cfg to raise the limit to its maximum. Smaller values can also be used; values over 4096 invoke the setsysinfo() call to raise the process's hard file limit to 64K. Zeus 3.3.6 -> 17th April 2000 ============================= Platform alterations -------------------- * Added MacOSX support * Added AIX support * FreeBSD packages built on newer OS. Previous packages: 'FreeBSD' -> built on FreeBSD 3.0 'FreeBSD-aout' -> build on FreeBSD 2.2.6 New packages: 'FreeBSD3' -> built on FreeBSD 3.4 'FreeBSD4' -> build on FreeBSD 4.0 * Linux/Alpha package now built on RedHat 6.2 instead of SuSE to provide 'out-of-the-box' compatibility with Alpha Processor Inc. machines. Program alterations since 3.3.5: -------------------------------- * JServ/1.1 support. Now support AJPv12 protocol. * Native PHP4 support. PHP4 is a high-performance persistent dynamic page-generation engine. See our support website (http://support.zeus.com) on PHP4 installation, and the PHP website (http://www.php.net) for information on PHP. * Enhanced FrontPage installation support. New fpinst.sh provides non-interactive mode, installation checking, upgrading, disabling, and helpful interactive setups. See --help for info or check the documentation system. * Integration & support for forthcoming Mass Hosting Edition. * SSL: Support for Global Server IDs (GSIDs) and Server Gated Cryptography (SGC). Also support for 56bit ciphers, and SHA1 certificate signing support. * Access control methods (htaccess and access module) can now provide IP subnets as well as ip-addresses, (e.g. '10.100.0.0/255.255.0.0' and 10.0.0.0/24 style restrictions). * Real-time cache analysis reports available from Administration Server (clustering -> machine -> advanced status) See SPEC white-paper for how to use this information to best effect. * Administration server user-interface improvements. * Enhanced LDAP connectivity. * FastCGI|NSAPI|ISAPI performance improvements. Zeus 3.3.5 -> 2nd Feb 2000 ========================== Platform alterations: --------------------- * Linux package renaming. Linux packages are now called 'Linux-glibc2.0' or Linux-glibc2.1' instead of 'Linux' and 'Linux-RedHat5'. * Added Linux/Alpha support. Program alterations since 3.3.4: -------------------------------- * 'Traffic light' controller page now sorts & filters case insensitively. * Log rotation performance improvements. * Added Cluster status Summary page which assists in the diagnosis of problems in the setup of a cluster of multiple webserver machines. * SSL: performance improvements. Initial SSL handshake is now completed using fewer network packets. * SSL: added support for certificate chaining. * CGI: Can now set global limits on the minimum uid/gid to run a cgi as, and define a default uid/gid if this limit is exceeded. These options are set in the global.cfg file, and are: tuning!modules!cgi!minuid Lowest UID to run a CGI as. Requests to run a CGI with a uid lower than this value are run as defaultuid. Default value = 0. tuning!modules!cgi!defaultuid See minuid. Defaultvalue = 65534. tuning!modules!cgi!mingid Lowest GID to run a CGI as. Requests to run a CGI with a gid lower than this value are run as defaultgid. Default value = 0. tuning!modules!cgi!defaultgid See mingid. Default value = 65534. * Htaccess: 'options indexes' now supported. 'options none' now also turns off directory listings being generated (to be compatible with Apache). 'options indexes' turns directory listing generation back on. See http://www.apache.org/docs/mod/core.html#options * Htaccess: option to not display htaccess errors on the client's webbrowser. Global tuneable 'tuning!modules!htaccess!display_errors' when 'no' will return '403 Access Denied' to client instead of rendering a descriptive error page to the client, instead will log the error to the error log. * Htaccess: Now process sections last, after all other sections have been processed. This change makes Zeus's htaccess support more compatible with Apache. * Access module: Access control rules can now specify a regular expression for the URL portion of the rule. * NSAPI: improved trace output with debugging tool 'nsapisnoop' * NSAPI: performance improvements - internal datastructures enlarged to provide better performance. * ISAPI: added support for HSE_REQ_ALLOC_MEM in the external runner. * ISAPI: TerminateFilter() and TerminateExtension() are now called on ISAPI dlls when the webserver is shutdown. * BUG FIX: NSAPI *_calloc() functions now guarantee allocated memory is initialised to zero. * BUG FIX: NSAPI alterations for WebQoS/VirtualVault. daemon_atrestart calls restart functions at _shutdown_ thread_self works on HP10.2 properly FuncStruct handling with func_find,replace as NES filebuf_create, http_scan_headers, conf_getServerString done (VV req.) * BUG FIX: FreeBSD3 build could raise a SIGFPE when using throttle module. * BUG FIX: SSI parsing of stream SSI tags from a dynamic content generator such as a Java Servlet could miss SSI tags that needed processing in rare circumstances. * BUG FIX: FastCGI: Receiving partial records from a FastCGI server could result in client connections being abnormally terminated. * BUG FIX: FastCGI: POST input larger than 64Kb was not sent to the FastCGI application correctly. * BUG FIX: Search module could fail on certain ill-formed HTML pages. * BUG FIX: ISAPI: HSE_REQ_TRANSMIT_FILE using sendfile() path was not processing tfinfo->pszStatusCode information. Zeus 3.3.4 - 2nd Dec 1999 ========================= Platform alterations -------------------- * Compaq Tru64 Unix version now built on 4.0F with native compilers optimized for ev6 hosts. * Separate HP-UX 10.20 and 11.00 builds. Program alterations since 3.3.2 ------------------------------- * Scalable 'Traffic light' page in the adminserver. Vastly improved the adminserver user-interface when dealing with thousands of configured Virtual Servers. The new interface provides a hierarchical tree-like display to provide fast 'drill-down' to a Virtual Server. The new interface can also display only the sites that are running, or not running, and allow a regular expression to 'filter' sites on display. * Miscellaneous performance optimizations * Greatly improved SSL client certificate handling. Adding support for the following environment variables: SSL_CLIENT_IO SSL_CLIENT_ICN SSL_CLIENT_IEMAIL SSL_CLIENT_IOU SSL_CLIENT_IL SSL_CLIENT_ISP SSL_CLIENT_IC CLIENT_CERT SSL_CLIENT_SERIAL * SSL: Switched to RSA licensed crypto engine * New 'SSL wizard' to allow fast, easy setup of SSL sites and their keys/certificates. * Netscape -> Zeus migration tool (netscape2zeus) netscape2zeus is a tool that can help you migrate from Netscape to Zeus, by providing automatic generation of Zeus configuration files based on a running Netscape server installation directory. The program can automatically detect and configure several Netscape configuration entities, making the migration work an easier task. See the description in the documentation system for usage information. * Frontpage install script now updates the AuthName directive created in the htaccess file in the user's docroot to the name of the website, rather than the name of the machine. * NSAPI: numerous application compatibility fixes. BroadVision, HP WebQOS, BEA WebLogic, Chilisoft ASP, ColdFusion, VelociGen now all tested against NSAPI interface. * NSAPI: NSAPI v4 support - compatible with iPlanet 4.0 Web server * ISAPI: 'Out-of-process' multi-threaded ISAPI engine. Tested against the new PHP4.0 server to provide extremely high-performance dynamic page generation. * ISAPI: 'snoop' development tool allows tracing of ISAPI applications similar to the operating system truss/strace commands. * Enhanced sendfile() support. Native sendfile support on HP-UX 11.00 builds, other platforms capable of supporting sendfile can do so through a pluggable driver interface * ISAPI: Documented HSE_REQ_TRANSMIT_FILE in ISAPI reference section. HSE_REQ_TRANSMIT_FILE provides a very high-performance mechanism for sending a file (or a portion of a file) to the client, with an optional header or footer. HSE_REQ_TRANSMIT_FILE will send the file directly from the webserver's internal cache, and is the recommended way of sending content back to the client for scenarios requiring high-performance dynamic content. Where sendfile() support is available, HSE_REQ_TRANSMIT_FILE will attempt to utilize the sendfile() fast-path when called with HSE_IO_DISCONNECT_AFTER_SEND | HSE_IO_SEND_HEADERS | HSE_IO_HANDLE_IS_FILENAME flags. * webctl can now 'sync' a given subset of the running Virtual Servers on a particular machine: e.g. % webctl --action=sync --machine=localhost --vs=server1 --vs=server2 * Improved clustering / webserver farm management. * Provide support for managing mixed Zeus/non-Zeus server farms. * Minor alterations in the HTTP engine to improve compliance with the latest version of the HTTP/1.1 specification. * 'httpclient' can now retrieve pages from secure websites. * BUG FIX: Access control module, when configured with more than 9 rules now displays correctly in the adminserver. * BUG FIX: Cookies were not being passed to authd servers. * Improved error reporting when log files cannot be opened. * Improved error reporting when loading SSL/X509 keys/certificates Zeus 3.3.3 - 22nd Oct 1999 ========================== * HP OEM Release - not sold to customers directly. Zeus 3.3.2 - 24th Aug 1999 ========================== Platform alterations since 3.3.1 -------------------------------- * Added Cobalt/Linux-mipsel support - Runs on Cobalt Networks server appliances * Added SCO - Built on SCO Unixware 7.1. We recommend customers install the kernel-socket supplement (ptf7401) and patch (erg501115) from SCO as these fixes many problems with their TCP stack (and greatly improves performance). * (Re)Added AIX support * Added FreeBSD/3/ELF * Dropped Linux-libc5 support, all Linux versions are now linked against libc6.x. Program alterations since 3.3.1 ------------------------------- * NSAPI support - Zeus now has support for NSAPI applications, and can run applications written for Netscape Enterprise Server. * Activity monitor - provides charting of bandwidth/load statistics of websites in real-time, and is cluster aware! (Virtual Servers need the stats module enabled to be included in the activity monitor). * Added webctl script to allow easy scriptable provisioning of websites distributed over a server farm. Lives in $ZEUSHOME/webadmin/bin/webctl * Server engine optimisations, the core engine has been speed up by 30%. * Added new htaccess directive 'PassEnvAuthorization' PassEnvAuthorization on|off (default off) Only available in a global htaccess file. Can be embedded in any sectioning directive. When set to 'on', the environment data for dynamic applications (CGIs/JServ/FastCGI/NSAPI etc) will contain the client's 'Authorization:' header as 'HTTP_AUTHORIZATION'. This allows the application to perform its own access control. e.g. PassEnvAuthorization on Obviously only 'trusted' applications should be given the client's password information for their access control purposes. Application servers such as Zope & some Java Servlets require this information. PassEnvAuthorization is a Zeus extension to the Apache specification. * Subserver module now has a 'custom subserver map function' mode, where you can add your own arbitary hostname hashing schemes via a shared library plug-in. * Removed legacy internal Zeus servlet runner (it only supported JSDK1, and we now fully support both Apache JServ (free/open source) and LiveSoftware's JRun (commercial) which provide much better servlet functionality). * No longer cache metadata of 'hot' objects. E.g. if a file as been recently altered, it will not be cached in the normal way, but reread from disk on the next request. This removes webmaster frustration trying to 'interactively' design webpages running under Zeus. * Now support Apache-style REDIRECT_STATUS and REDIRECT_URL environment variables when processing a 'handler' request, such as PHP3 pages which use/require these variables. * Search index program can now read Virtual Server configuration files from stdin, so it can index non-running websites, and be used on arbitrary machines. * When running in a clustered server farm mode, adminserver<->webserver communication is now secured via a shared secret communication key file. * SSL keep-alive is now disabled by default. The latest versions of IE5 appear to have a bug in their support for HTTP/1.1 keep-alive over SSL which causes websites to be unuseable via these clients. Can be re-enabled by adding 'tuning!ssl_keepalive yes' to the global.cfg file. * BUG FIX: ISAPI raw_write & large CGI output could become corrupted when the ISAPI filter returned the same HTTP_FILTER_RAW_DATA object back untouched and the client connection is slower than the CGI output. * BUG FIX: There was a denial of service attack against SSL servers running on Solaris, which could be provoked by clients which support cipher '10' (which recent SSLeay clients do by default). * BUG FIX: FastCGI base env variables are now zero-terminated correctly. * BUG FIX: FastCGI stderr now goes to the logfile instead of the client. * BUG FIX: under certain rare conditions, the search engine search.cgi application could eat CPU time. Upgrade notes ------------- Customers upgrading from Zeus 3.3.1: Version 3.3.2 will upgrade the configuration files for your virtual servers to add support for the new NSAPI module and the new activity monitor. The upgrade process will enable the stats module on all your Virtual Servers so that they show up on the activity monitor. The configuration files are updated, but not deployed by the upgrade/installation process. This means that if you view the 'traffic light' page, the running Virtual Servers will show up as 'modified'. To deploy these configuration changes, either restart the Virtual Servers via the adminserver, or use the new 'webctl' script to automate the restarting. (On the adminserver machine, cd $ZEUSHOME/webadmin/bin; ./webctl --action=restart --allvs ) In a clustered server-farm setup, you should obviously ensure you have upgraded all the webserver machines to version 3.3.2 before deploying the configuration changes. Should you require, you can easily roll-back to version 3.3.1 by simply updating the package symlinks in the $ZEUSHOME directory to point to the version 3.3.1 packages instead of the 3.3.2 packages and restarting Zeus (./stop-zeus; ./start-zeus). Alternatively, you can save disk-space by removing the 3.3.1 package directories if you do not require the roll-back functionality.