Re: [Cppcms-users] Internal webserver + embedded applications

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>
>First off - Artyum, massive thanks for braving new ground and writing what is an 
>
>excellent library and almost the only one of its kind. I really hope cppcms 
>starts to build more momentum (community) to really take hold as a main stream 
>alternative solution.

I hope so too :-)

>I am trying to make use of the internal webserver. When I run any of the 
>examples, (with -c and the configuration file) it starts up, (i confirmed that 
>it opens the port in netstat) but when i point the browser at it, i get a 
>"unable to connect", as if the server isn't responding. Any ideas?

What is your configuration file? What version of CppCMS do you use (I mean you 
need
0.99.1 for embedded web server).

Generally take a look on the example file examples/hello_world/config.js

- It is important to make sure you have "script_names" defined to the path your 
application
  should run on, 
- If you need to serve html files as well you need also add section like:

  "file_server" : {
        "enable" : true,
        "doument_root" : "/path/to/document/root"
  },

  see as exaple src/config.js

>
>On the same note, how robust is the internal server? Would you use it 
>comfortably in a deployed embedded system? 

Internal web server is developed mostly for debugging purposes and can run in 
**trusted**
networks or behind proxies that sanity HTTP input.

I explain way:

- It works in very simple way, it does check HTTP input for correctness and 
handle requests, but
  for example it does not handle timeouts at all, so it is very vulnerable to 
DOS attacks.

- When serving files it has only single document-root, it performs path checks 
using system
  calls like canonicalize_file_name under linux, realpath under other POSIX OSes 
and GetFullPathName
  under Windows, but I'm not sure how these checks are really complete and 
right.

  On the other hand, from quick glance on mongoose.c, it does not do even this 
(i.e. its security
  checks quite primitive and would fail for advanced attacks).

- It does not support SSL

So, if you deploy it in trusted network where you do not expect attacks on your 
service, it is 

more then fine. But I would never expose it to internet or to untrusted clients.

> How hard do you suppose it would be 
> to merge in something like mongoose for use as an internal server?

I would not do this for two reasons:

1. All CppCMS APIs (SCGI/FCGI/HTTP) have quite strict requirements for their 
interfaces:

   - They required to work in both synchronous and asynchronous modes
   - They should be integrated with Booster.Aio event loop.

   So it would not be simple (if possible at all) to integrate it.

2. I'm not sure how good monogose is in terms of security, so I would rather 
prefer to improve
   security of internal HTTP server so it would be able to handle requests in 
much safe way,
   then to integrate it into CppCMS.

So, untill it get reviewed by some securiy experts I would not recommend using 
internal HTTP
server in untrusted networks, as for the rest it is fine.

And if you do need secure embedded web server I'd suggest use nginx or lighttpd 
as they very light
(their binary size even smaller they libcppcms.so) so just use them as powerful 
and secure frontends
for CppCMS.

Regard,
  Artyom