publish-ftpd is a non-anonymous read-only FTP and HTTP server. It requires no external programs other than a few standard Perl modules loaded at startup, and no configuration files other than the binary password and MIME-types files created by publish-ftpd-maint, its companion maintenance program. It provides neither high performance nor high security, and should not generally be used for serving files to the Internet.
r80v5 is a fast, lightweight HTTP server written in REBOL, supporting the execution of server-side REBOL code embedded in HTML files. It is easily extended by mapping modules to a resource pattern. For example, one module could be called for all *.txt files, but a different module could be used for all *.txt files in the directory 'source/'.
Remo is a graphical rule editor for ModSecurity, an Apache security module. ModSecurity is quite difficult to configure successfully. Modsecurity.org advertises a tested core ruleset granting you protection from most known attacks, but this is only blocks traffic known to be dangerous, when it is more effective to block everything not known to be safe. Remo is meant to assist in the difficult task of writing the rules that would correctly describe the requests that are valid for an application.
rpaf changes the remote address of the client on incoming proxy requests. It is used in backend servers that needs to know the IP of the client, and works in conjunction with mod_proxy_add_forward (which sets the X-Forwarded-For header). When an X-Host header exists rpaf will take the hostname found here, put it into Apache, and update the virtualhost settings so that you can serve virtualhosts on the backend. It includes modules for both Apache 1.3 and 2.0.
sbox is a CGI wrapper script that allows Web site hosting services to safely grant CGI authoring privileges to untrusted clients. In addition to changing the process privileges of client scripts to match their owners, it goes beyond other wrappers by placing configurable ceilings on script resource usage, avoiding unintentional and intentional denial of service attacks. It also optionally allows the Webmaster to place clients' CGI scripts in a chroot'ed shell restricted to the author's home directories.
sh-httpd is a shell script-based Web server that supports GET and HEAD methods, and a CGI 1.1 interface. It's not real fast, and it's probably not real secure, but it is really small. The Web server and it's configuration files are around 9,000 bytes total, and that's with comments and pretty whitespace. If you can run ash or bash, an inetd, and about 7 standard external commands on your system, you can have a Web server with CGI support. There's also a timeout counter that kills never-ending CGI programs, cleans up, and exits.