Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Improvements to the althttpd documentation. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
44a1928f55e74e4c8a32041c5ceeb31f |
User & Date: | drh 2018-11-21 21:46:36.048 |
Context
2018-11-24
| ||
19:14 | Update the speed-and-size spreadsheet and the cpu.html page. Also make minor tweaks to the omitted.html page. (check-in: 555bf82e10 user: drh tags: trunk) | |
2018-11-21
| ||
21:46 | Improvements to the althttpd documentation. (check-in: 44a1928f55 user: drh tags: trunk) | |
2018-11-16
| ||
17:33 | Update the speed-and-size chart for version 3.26.0 (beta). (check-in: f7ada093c1 user: drh tags: trunk) | |
Changes
Changes to misc/althttpd.md.
︙ | ︙ | |||
93 94 95 96 97 98 99 | The key observation here is that each incoming TCP/IP connection on port 80 launches a copy of /usr/bin/althttpd with some additional arguments that amount to the configuration for the webserver. Notice that althttpd is run as the superuser. This is not required, but if it | | | 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 | The key observation here is that each incoming TCP/IP connection on port 80 launches a copy of /usr/bin/althttpd with some additional arguments that amount to the configuration for the webserver. Notice that althttpd is run as the superuser. This is not required, but if it is done, then althttpd will move itself into a chroot jail at the root of the web document hierarchy (/home/www in the example) and then drop all superuser privileges prior to reading any content off of the wire. The -user option tells althttpd to become user www-data after entering the chroot jail. The -root option tells althttpd where to find the document hierarchy. In the case of sqlite.org, all content is served from /home/www. |
︙ | ︙ | |||
161 162 163 164 165 166 167 | If a prefix of a URI matches the name of an executable file then that file is run as CGI. For as-is content, the request URI must exactly match the name of the file. For content delivered as-is, the MIME-type is deduced from the filename extension using a table that is compiled into althttpd. | < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < | 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | If a prefix of a URI matches the name of an executable file then that file is run as CGI. For as-is content, the request URI must exactly match the name of the file. For content delivered as-is, the MIME-type is deduced from the filename extension using a table that is compiled into althttpd. Setup For HTTPS Using Stunnel4 ------------------------------ Althttpd itself does not do any encryption. To set up an encrypted website using althttpd, the recommended technique is to use [stunnel4](https://www.stunnel.org/). |
︙ | ︙ | |||
266 267 268 269 270 271 272 | The "-port 8080" option is what tells althttpd to run in stand-alone mode, listening on port 8080. The author of althttpd has only ever used stand-alone mode for testing. Since althttpd does not itself support TLS encryption, the stunnel4 setup is preferred for production websites. | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 | The "-port 8080" option is what tells althttpd to run in stand-alone mode, listening on port 8080. The author of althttpd has only ever used stand-alone mode for testing. Since althttpd does not itself support TLS encryption, the stunnel4 setup is preferred for production websites. Security Features ----------------- To defend against mischief, there are restrictions on names of files that althttpd will serve. Within the request URI, all characters other than alphanumerics and ",-./:~" are converted into a single "_". Furthermore, if any path element of the request URI begins with "." or "-" then althttpd always returns a 404 Not Found error. Thus is it safe to put auxiliary files (databases or other content used by CGI, for example) in the document hierarchy as long as the filenames being with "." or "-". An exception: Though althttpd normally returns 404 Not Found for any request with a path element beginning with ".", it does allow requests where the URI begins with "/.well-known/". This exception is necessary to allow LetsEncrypt to validate ownership of the website. Basic Authentication -------------------- If a file named "-auth" appears anywhere within the content hierarchy, then all sibling files and all files in lower-level directories require [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication), as defined by the content of the "-auth" file. The "-auth" file is plain text and line oriented. Blank lines and lines that begin with "#" are ignored. Other lines have meaning as follows: * <b>http-redirect</b> The http-redirect line, if present, causes all HTTP requests to redirect into an HTTPS request. * <b>https-only</b> The https-only line, if present, means that only HTTPS requests are allowed. Any HTTP request results in a 404 Not Found error. The https-only line normally occurs after an http-redirect line. * <b>realm</b> <i>NAME</i> A single line of this form establishes the "realm" for basic authentication. Web browsers will normally display the realm name as a title on the dialog box that asks for username and password. * <b>user</b> <i>NAME LOGIN:PASSWORD</i> There are multiple user lines, one for each valid user. The LOGIN:PASSWORD argument defines the username and password that the user must type to gain access to the website. The password is clear-text - HTTP Basic Authentication is not the most secure authentication mechanism. Upon successful login, the NAME is stored in the REMOTE_USER environment variable so that it can be accessed by CGI scripts. NAME and LOGIN are usually the same, but can be different. * <b>anyone</b> If the "anyone" line is encountered, it means that any request is allowed through, even if there is not username and password provided. This line is useful in combination with "http-redirect" to cause all ordinary HTTP requests to redirect to HTTPS without requiring login credentials. Basic Authentication Examples ----------------------------- The <http://www.sqlite.org/> website contains a "-auth" file in the toplevel directory as follows: > http-redirect anyone That -auth file causes all HTTP requests to be redirected to HTTPS, without requiring any further login. (Try it: visit http://sqlite.org/ and verify that you are redirected to https://sqlite.org/.) There is a "-auth" file at <https://fossil-scm.org/private/> that looks like this: > realm Access To All Fossil Repositories http-redirect user drh drh:xxxxxxxxxxxxxxxx Except, of course, the password is not a row of "x" characters. This demonstrates the typical use for a -auth file. Access is granted for a single user to the content in the "private" subdirectory, provided that the user enters with HTTPS instead of HTTP. The "http-redirect" line is strongly recommended for all basic authentication since the password is contained within the request header and can be intercepted and stolen by bad guys if the request is sent via HTTP. Log File -------- If the -logfile option is given on the althttpd command-line, then a single line is appended to the named file for each HTTP request. The log file is in the Comma-Separated Value or CSV format specified by [RFC4180](https://tools.ietf.org/html/rfc4180). There is a comment in the source code that explains what each of the fields in this output line mean. The fact that the log file is CSV makes it easy to import into SQLite for analysis, using a script like this: > CREATE TABLE log( date TEXT, /* Timestamp */ ip TEXT, /* Source IP address */ url TEXT, /* Request URI */ ref TEXT, /* Referer */ code INT, /* Result code. ex: 200, 404 */ nIn INT, /* Bytes in request */ nOut INT, /* Bytes in reply */ t1 INT, t2 INT, /* Process time (user, system) milliseconds */ t3 INT, t4 INT, /* CGI script time (user, system) milliseconds */ t5 INT, /* Wall-clock time, milliseconds */ nreq INT, /* Sequence number of this request */ agent TEXT, /* User agent */ user TEXT, /* Remote user */ n INT, /* Bytes of url that are in SCRIPT_NAME */ lineno INT /* Source code line that generated log entry */ ); .mode csv .import httplog.csv log The filename on the -logfile option may contain time-based characters that are expanded by [strftime()](https://linux.die.net/man/3/strftime). Thus, to cause a new logfile to be used for each day, you might use something like: > -logfile /var/logs/althttpd/httplog-%Y%m%d.csv |