Apache :: Apache & Classic ASP

Douglas26 · Joined: 10 Dec 2009 Posts: 5

Hi there,

I'm setting up a web server at home on Windows XP Home Edition. I'll emphasize that this setup is purely for a hobby site, since I can't afford to pay for a hosting company right now - if I wanted add ons like Coldfusion and JSP, it would cost a bomb - and I can easily do that myself!

I've installed Apache 2.2.8 (AppServ) successfully, and people have tested my URL and it's all working as it should. However, I'd like to run both Classic ASP and ASP.NET on Apache too - I've got ASP.NET installed successfully and it's all working. With Classic ASP, I was excited to see that you could download it from Sun One for free, since it appears to be retired now, but it doesn't appear to support Apache 2.2.8.

My question is, apart from the obvious security and vulnerability reasons, does it really matter whether I finally host my site with version 2.2 or 2.0? If the only option is to use 2.0 so I can get Classic ASP, I'm not too fussed about which version I'll finally use, I'd just prefer to keep up to date with all the latest software.

Thanks

Douglas

Brian · Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA

I did a quick Google Search, I know there is an open source solution for ASP .NET, check this out maybe:

http://weblogs.asp.net/israelio/archive/2005/09/11/424852.aspx

My search results:

Google
Bing

Another option for your ASP/X is to run IIs behind Apache using mod_proxy. See post: http://www.apachelounge.com/viewtopic.php?p=14628#14628

Douglas26 · Joined: 10 Dec 2009 Posts: 5

Ah, thanks for your reply, but I should emphasize that I have ASP.NET working, and I've rolled back the server to 2.0, and have Classic ASP working now too. I suppose I'm asking, if using a 2.0 server will affect any future software updates like PHP 6?

James Blond

As far as I can see the future of PHP will be fcgi(d). In the last snapshot I downloaded from PHP6 there weren't module for apache (maybe yet). IIRC the future apache 2.4 will have more comfort with fcgi.
As Brian wrote there is always a chance of using a reverse proxy so you can combine older and newer technologies.

Apache 2.0 will have only security and bugfix releases. There is no real development. Also Apache 2.2 will be "finished" at some point.

glsmith

I hope you come back, I wish I'd thought of it sooner.

My I ask how your getting classic ASP in 2.0.63. I am curious because one thing I lost when migrating from 1.3.39 to 2.x was mod_asp. It was old, wasn't much yet still could do some slick things and I know the pain of loosing it.

I assume ASP.Net is mod_aspdotnet ... but what about the Classic ASP?

TIA

Security of 2.0.63:

Coming up January 19 will be the two year anniversary of the release so let's see what is wrong with it.

*) SECURITY: CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage.

*) SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL.

*) SECURITY: CVE-2009-3555 (cve.mitre.org)
A partial fix for the TLS renegotiation prefix injection attack by
rejecting any client-initiated renegotiations. Any configuration
which requires renegotiation for per-directory/location access
control is still vulnerable, unless using OpenSSL >= 0.9.8l.

The release at apache.org includes OpenSSL 0.9.7m, I do not know if it is susceptible to the TLS MITM attack but I would expect it is. If a 2.0.64 is ever release, I would hope it came with the latest 0.9.8 release [currently 0.9.8l (L)]

That said, if your not a proxy or a secure server, I guess it's OK.

Gregg