>
>First off - Artyum, massive thanks for braving new ground and writing what is an
>
>excellent library and almost the only one of its kind. I really hope cppcms
>starts to build more momentum (community) to really take hold as a main stream
>alternative solution.
I hope so too :-)
>I am trying to make use of the internal webserver. When I run any of the
>examples, (with -c and the configuration file) it starts up, (i confirmed that
>it opens the port in netstat) but when i point the browser at it, i get a
>"unable to connect", as if the server isn't responding. Any ideas?
What is your configuration file? What version of CppCMS do you use (I mean you
need
0.99.1 for embedded web server).
Generally take a look on the example file examples/hello_world/config.js
- It is important to make sure you have "script_names" defined to the path your
application
should run on,
- If you need to serve html files as well you need also add section like:
"file_server" : {
"enable" : true,
"doument_root" : "/path/to/document/root"
},
see as exaple src/config.js
>
>On the same note, how robust is the internal server? Would you use it
>comfortably in a deployed embedded system?
Internal web server is developed mostly for debugging purposes and can run in
**trusted**
networks or behind proxies that sanity HTTP input.
I explain way:
- It works in very simple way, it does check HTTP input for correctness and
handle requests, but
for example it does not handle timeouts at all, so it is very vulnerable to
DOS attacks.
- When serving files it has only single document-root, it performs path checks
using system
calls like canonicalize_file_name under linux, realpath under other POSIX OSes
and GetFullPathName
under Windows, but I'm not sure how these checks are really complete and
right.
On the other hand, from quick glance on mongoose.c, it does not do even this
(i.e. its security
checks quite primitive and would fail for advanced attacks).
- It does not support SSL
So, if you deploy it in trusted network where you do not expect attacks on your
service, it is
more then fine. But I would never expose it to internet or to untrusted clients.
> How hard do you suppose it would be
> to merge in something like mongoose for use as an internal server?
I would not do this for two reasons:
1. All CppCMS APIs (SCGI/FCGI/HTTP) have quite strict requirements for their
interfaces:
- They required to work in both synchronous and asynchronous modes
- They should be integrated with Booster.Aio event loop.
So it would not be simple (if possible at all) to integrate it.
2. I'm not sure how good monogose is in terms of security, so I would rather
prefer to improve
security of internal HTTP server so it would be able to handle requests in
much safe way,
then to integrate it into CppCMS.
So, untill it get reviewed by some securiy experts I would not recommend using
internal HTTP
server in untrusted networks, as for the rest it is fine.
And if you do need secure embedded web server I'd suggest use nginx or lighttpd
as they very light
(their binary size even smaller they libcppcms.so) so just use them as powerful
and secure frontends
for CppCMS.
Regard,
Artyom
|
