Documentation Source Text

Check-in [44a1928f55]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Improvements to the althttpd documentation.
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:44a1928f55e74e4c8a32041c5ceeb31f9c6aa523060fdcba73a38cee9e4c16d6
User & Date: drh 2018-11-21 21:46:36
Context
2018-11-24
19:14
Update the speed-and-size spreadsheet and the cpu.html page. Also make minor tweaks to the omitted.html page. check-in: 555bf82e10 user: drh tags: trunk
2018-11-21
21:46
Improvements to the althttpd documentation. check-in: 44a1928f55 user: drh tags: trunk
2018-11-16
17:33
Update the speed-and-size chart for version 3.26.0 (beta). check-in: f7ada093c1 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to misc/althttpd.md.

    93     93       
    94     94   
    95     95   The key observation here is that each incoming TCP/IP connection on 
    96     96   port 80 launches a copy of /usr/bin/althttpd with some additional
    97     97   arguments that amount to the configuration for the webserver.
    98     98   
    99     99   Notice that althttpd is run as the superuser. This is not required, but if it
   100         -is done, then althttpd will move itself into a chroot jail at the root of
          100  +is done, then althttpd will move itself into a chroot jail at the root
   101    101   of the web document hierarchy (/home/www in the example) and then drop
   102    102   all superuser privileges prior to reading any content off of the wire.
   103    103   The -user option tells althttpd to become user www-data after entering
   104    104   the chroot jail.
   105    105   
   106    106   The -root option tells althttpd where to find the document hierarchy.
   107    107   In the case of sqlite.org, all content is served from /home/www.
................................................................................
   161    161   If a prefix of a URI matches the name of an executable file then that
   162    162   file is run as CGI.  For as-is content, the request URI must exactly
   163    163   match the name of the file.
   164    164   
   165    165   For content delivered as-is, the MIME-type is deduced from the filename
   166    166   extension using a table that is compiled into althttpd.
   167    167   
   168         -Security Features
   169         ------------------
   170         -
   171         -To defend against mischief, there are restrictions on names of files that
   172         -althttpd will serve.  Within the request URI, all characters other than
   173         -alphanumerics and ",-./:~" are converted into a single "_".  Furthermore,
   174         -if any path element of the request URI begins with "." or "-" then
   175         -althttpd always returns a 404 Not Found error.  Thus is it safe to put
   176         -auxiliary files (databases or other content used by CGI, for example)
   177         -in the document hierarchy as long as the filenames being with "." or "-".
   178         -
   179         -An exception:  Though althttpd normally returns 404 Not Found for any
   180         -request with a path element beginning with ".", it does allow requests
   181         -where the URI begins with "/.well-known/".  This exception is necessary
   182         -to allow LetsEncrypt to validate ownership of the website.
   183         -
   184         -Log File
   185         ---------
   186         -
   187         -If the -logfile option is given on the althttpd command-line, then a single
   188         -line is appended to the named file for each HTTP request.
   189         -The log file is in the Comma-Separated Value or CSV format specified
   190         -by [RFC4180](https://tools.ietf.org/html/rfc4180).
   191         -There is a comment in the source code that explains what each of the fields
   192         -in this output line mean.
   193         -
   194         -The fact that the log file is CSV makes it easy to import into
   195         -SQLite for analysis, using a script like this:
   196         -
   197         ->
   198         -    CREATE TABLE log(
   199         -      date TEXT,             /* Timestamp */
   200         -      ip TEXT,               /* Source IP address */
   201         -      url TEXT,              /* Request URI */
   202         -      ref TEXT,              /* Referer */
   203         -      code INT,              /* Result code.  ex: 200, 404 */
   204         -      nIn INT,               /* Bytes in request */
   205         -      nOut INT,              /* Bytes in reply */
   206         -      t1 INT, t2 INT,        /* Process time (user, system) milliseconds */
   207         -      t3 INT, t4 INT,        /* CGI script time (user, system) milliseconds */
   208         -      t5 INT,                /* Wall-clock time, milliseconds */
   209         -      nreq INT,              /* Sequence number of this request */
   210         -      agent TEXT,            /* User agent */
   211         -      user TEXT,             /* Remote user */
   212         -      n INT,                 /* Bytes of url that are in SCRIPT_NAME */
   213         -      lineno INT             /* Source code line that generated log entry */
   214         -    );
   215         -    .mode csv
   216         -    .import httplog.csv log
   217         -    
   218         -
   219         -The filename on the -logfile option may contain time-based characters 
   220         -that are expanded by [strftime()](https://linux.die.net/man/3/strftime).
   221         -Thus, to cause a new logfile to be used for each day, you might use
   222         -something like:
   223         -
   224         ->
   225         -     -logfile /var/logs/althttpd/httplog-%Y%m%d.csv
   226         -
   227    168   Setup For HTTPS Using Stunnel4
   228    169   ------------------------------
   229    170   
   230    171   Althttpd itself does not do any encryption.
   231    172   To set up an encrypted website using althttpd, the recommended technique
   232    173   is to use [stunnel4](https://www.stunnel.org/).
   233    174   
................................................................................
   266    207   
   267    208   The "-port 8080" option is what tells althttpd to run in stand-alone
   268    209   mode, listening on port 8080.
   269    210   
   270    211   The author of althttpd has only ever used stand-alone mode for testing.
   271    212   Since althttpd does not itself support TLS encryption, the
   272    213   stunnel4 setup is preferred for production websites.
          214  +
          215  +Security Features
          216  +-----------------
          217  +
          218  +To defend against mischief, there are restrictions on names of files that
          219  +althttpd will serve.  Within the request URI, all characters other than
          220  +alphanumerics and ",-./:~" are converted into a single "_".  Furthermore,
          221  +if any path element of the request URI begins with "." or "-" then
          222  +althttpd always returns a 404 Not Found error.  Thus is it safe to put
          223  +auxiliary files (databases or other content used by CGI, for example)
          224  +in the document hierarchy as long as the filenames being with "." or "-".
          225  +
          226  +An exception:  Though althttpd normally returns 404 Not Found for any
          227  +request with a path element beginning with ".", it does allow requests
          228  +where the URI begins with "/.well-known/".  This exception is necessary
          229  +to allow LetsEncrypt to validate ownership of the website.
          230  +
          231  +Basic Authentication
          232  +--------------------
          233  +
          234  +If a file named "-auth" appears anywhere within the content hierarchy,
          235  +then all sibling files and all files in lower-level directories require
          236  +[HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication),
          237  +as defined by the content of the "-auth" file.
          238  +The "-auth" file is plain text and line oriented.
          239  +Blank lines and lines that begin with "#" are ignored.
          240  +Other lines have meaning as follows:
          241  +
          242  +  *  <b>http-redirect</b>
          243  +
          244  +     The http-redirect line, if present, causes all HTTP requests to
          245  +     redirect into an HTTPS request.
          246  +
          247  +  *  <b>https-only</b>
          248  +
          249  +     The https-only line, if present, means that only HTTPS requests
          250  +     are allowed.  Any HTTP request results in a 404 Not Found error.
          251  +     The https-only line normally occurs after an http-redirect line.
          252  +
          253  +  *  <b>realm</b> <i>NAME</i>
          254  +
          255  +     A single line of this form establishes the "realm" for basic
          256  +     authentication.  Web browsers will normally display the realm name
          257  +     as a title on the dialog box that asks for username and password.
          258  +
          259  +  *  <b>user</b> <i>NAME LOGIN:PASSWORD</i>
          260  +
          261  +     There are multiple user lines, one for each valid user.  The
          262  +     LOGIN:PASSWORD argument defines the username and password that
          263  +     the user must type to gain access to the website.  The password
          264  +     is clear-text - HTTP Basic Authentication is not the most secure
          265  +     authentication mechanism.  Upon successful login, the NAME is
          266  +     stored in the REMOTE_USER environment variable so that it can be
          267  +     accessed by CGI scripts.  NAME and LOGIN are usually the same,
          268  +     but can be different.
          269  +
          270  +  *  <b>anyone</b>
          271  +
          272  +     If the "anyone" line is encountered, it means that any request is
          273  +     allowed through, even if there is not username and password provided.
          274  +     This line is useful in combination with "http-redirect" to cause
          275  +     all ordinary HTTP requests to redirect to HTTPS without requiring
          276  +     login credentials.
          277  +
          278  +Basic Authentication Examples
          279  +-----------------------------
          280  +
          281  +The <http://www.sqlite.org/> website contains a "-auth" file in the
          282  +toplevel directory as follows:
          283  +
          284  +>
          285  +     http-redirect
          286  +     anyone
          287  +
          288  +That -auth file causes all HTTP requests to be redirected to HTTPS, without
          289  +requiring any further login.  (Try it: visit http://sqlite.org/ and
          290  +verify that you are redirected to https://sqlite.org/.)
          291  +
          292  +There is a "-auth" file at <https://fossil-scm.org/private/> that looks
          293  +like this:
          294  +
          295  +>
          296  +     realm Access To All Fossil Repositories
          297  +     http-redirect
          298  +     user drh drh:xxxxxxxxxxxxxxxx
          299  +
          300  +Except, of course, the password is not a row of "x" characters.  This
          301  +demonstrates the typical use for a -auth file.  Access is granted for
          302  +a single user to the content in the "private" subdirectory, provided that
          303  +the user enters with HTTPS instead of HTTP.  The "http-redirect" line
          304  +is strongly recommended for all basic authentication since the password
          305  +is contained within the request header and can be intercepted and
          306  +stolen by bad guys if the request is sent via HTTP.
          307  +
          308  +Log File
          309  +--------
          310  +
          311  +If the -logfile option is given on the althttpd command-line, then a single
          312  +line is appended to the named file for each HTTP request.
          313  +The log file is in the Comma-Separated Value or CSV format specified
          314  +by [RFC4180](https://tools.ietf.org/html/rfc4180).
          315  +There is a comment in the source code that explains what each of the fields
          316  +in this output line mean.
          317  +
          318  +The fact that the log file is CSV makes it easy to import into
          319  +SQLite for analysis, using a script like this:
          320  +
          321  +>
          322  +    CREATE TABLE log(
          323  +      date TEXT,             /* Timestamp */
          324  +      ip TEXT,               /* Source IP address */
          325  +      url TEXT,              /* Request URI */
          326  +      ref TEXT,              /* Referer */
          327  +      code INT,              /* Result code.  ex: 200, 404 */
          328  +      nIn INT,               /* Bytes in request */
          329  +      nOut INT,              /* Bytes in reply */
          330  +      t1 INT, t2 INT,        /* Process time (user, system) milliseconds */
          331  +      t3 INT, t4 INT,        /* CGI script time (user, system) milliseconds */
          332  +      t5 INT,                /* Wall-clock time, milliseconds */
          333  +      nreq INT,              /* Sequence number of this request */
          334  +      agent TEXT,            /* User agent */
          335  +      user TEXT,             /* Remote user */
          336  +      n INT,                 /* Bytes of url that are in SCRIPT_NAME */
          337  +      lineno INT             /* Source code line that generated log entry */
          338  +    );
          339  +    .mode csv
          340  +    .import httplog.csv log
          341  +    
          342  +
          343  +The filename on the -logfile option may contain time-based characters 
          344  +that are expanded by [strftime()](https://linux.die.net/man/3/strftime).
          345  +Thus, to cause a new logfile to be used for each day, you might use
          346  +something like:
          347  +
          348  +>
          349  +     -logfile /var/logs/althttpd/httplog-%Y%m%d.csv