The latest and greatest released version of Apache is always available from the Apache Web site in the /dist/ location: <URL:apache/dist/. If you look at that page, one of the first things you'll see is a link to a way of finding a distribution point, or mirror, that's closer to you.

The Apache Software Foundation only supports downloading using HTTP and the Web; FTP repositories are not provided. Mirror sites may or may not provide FTP access to their distribution areas.

Exactly how you download the software depends on your Web browser, but it may be as simple as holding down the 'Shift' key and clicking on the name of the file.

There are two types of packages you can download from the Apache site:

Packages containing only the Web server source code, and
Packages containing the source code and a pre-built binary.
The source-only packages are located in the top directory of the URL listed above; the prebuilt binaries are located in subdirectories underneath the /binaries/ folder.

Package naming
The Apache packages are named according to a formula:

The word 'apache', followed by
the three-component version number (e.g., '1.3.12'), followed by
optional suffix information (such as 'win32' to stress that the package is for Windows, or 'i386-whatever-linux2', which indicates a package built for Linux systems running on x86 hardware with a 2.* kernel version), followed by
package-type information (such as '.exe', or '.tar.gz')
A package that is missing the optional suffix information, such as 'apache_1.3.12.tar.gz', is a source-only package. If you download such you will have to compile and build the server yourself from scratch. Packages that include the optional suffix have been pre-built for the named platform, but they also include the source code in case you want or need to rebuild the server yourself.

The version number is very important. It's read from left to right, and each component is treated as a number in its own right. So the package named 'apache_1.3.12.tar.gz' contains version '1.3.12', which is pronounced 'one point three point twelve,' and is more recent than '1.3.9'.

Signature Files
In addition to the packages themselves, there are frequently accompanying signature files. These are used to verify that the packages were really built by the Apache developers, and have the same name as the package with either a '.asc' or '.md5' suffix attached. To use these, you will need either something that can read and verify PGP signatures (such as PGP itself), or a tool that can generate MD5 checksums.

The MD5 checksum, if one is provided for the package, is easier to check. You simply use your MD5 checksumming tool to generate a checksum of the package, and then you compare that value with what's in the .md5 file. For example:

% md5sum apache_1.3.12.tar.gz
de3ccff384b0d4ab94c3251cb85d49d2 apache_1.3.12.tar.gz
% cat apache_1.3.12.tar.gz.md5
MD5 (apache_1.3.12.tar.gz) = de3ccff384b0d4ab94c3251cb85d49d2