When Microsoft designed the FrontPage extensions for use on the Apache server, they had to work with some differences between Apache and the IIS server. First of all, the server extensions (as they are commonly referred to from the help documents for IIS) are an integrated part of the IIS server. Many of the settings are kept in the registry and use components that are integrated into Windows. This makes it difficult to separate this functionality out and work it into much more open servers like Apache, where modules are key and the source code is free.

This is where the mod_frontpage module for Apache comes in. It replicates the functionality of integrating the FrontPage extensions with the server. When any request comes in that is FrontPage related, this module will catch the request and know what FrontPage extension program to run to handle the request. When executing any of those FrontPage extension programs, a program called fpexec is used to run the extension program. The functionality of fpexec is very simular to the functionality of suexec. The fpexec program can just be thought of as a more specialized version of suexec, that will only be used to run the FrontPage extension programs. This helps with the security because the extension programs are then run as the user who owns the website, instead of user nobody or whatever user your web server runs as.

Authentication is done by the use of .htaccess files that use a require directive in some directories. The .htaccess files look for flat authentication files (just like .htpasswd) in the _vti_pvt directory of a FrontPage extended web to determine if the user can authenticate or not. Since the authentication is separated out this way, it allows you to change the way authentication is done so that you can use digest, Radius or LDAP for authentication instead.

When you download the FrontPage extensions tarball from Microsoft, it includes a patch against the Apache source tree for creating the mod_frontpage module. A few precompiled httpd binaries with pre-built mod_frontpage support come with the tarball in case you don't want to build your own. Also, a pre-built binary of the fpexec program along with it's source code are in the tarball. Unfortunately, the source code to the extension binaries that are run within a FrontPage extended web are not available at the time of this writing.

Improved mod_frontpage by Christof Pohl comes with both the mod_frontpage module and the fpexec suid program. The mod_frontpage module by Christof however, is a rewritten version of the Microsoft module to fix some security issues and provide more features. Such as, being able to enable or disable the extensions through the use of a directive in each domain's virtual container. The fpexec program is also a re-written version of the Microsoft program to make more security checks before allowing any of the extension programs to run.

Recent developments with improved mod_frontpage have enabled it to be a true DSO loadable module that only needs the apxs program for compilation. Probably by the time you read this, improved mod_frontpage should also no longer need to be patched against the Apache source tree for installation. Thus, it will be a separately compilable module. This will make it more viable for being built into packages like RPM and Debian packages and making it much easier to install.