Current version is 0.99.11
NOTE that this software requires the Vstr, socket_poll and timer_q libraries.
Note that this software currently has a $2,000 "security guarantee".
- Tar balls are available via. ftp and http. Also a binary bzip2 cpio archive, of version 0.99.7, compiled against uLibc is available here.
- The mailing lists for and-httpd are available via. the sourceforge and-httpd project.
- An upto date YUM repository is available (containing only the non debug versions of the rpms) here at which point you can just "yum install and-httpd".
- If you want to look at the arch repository that
and-httpd is developed in, then it is available using
tla register-archive \ james@and.org--2004-code ftp://ftp.and.org/pub/james/ARCH-2004-code tla get james@and.org--2004-code/and-httpd--main--0...note that the LICENSE is LGPL, not GPL. So you can reuse it in your applications.
- The source can be read online: here
- NEWS file can be found here
- ChangeLog file can be found here
- TODO file can be found here
I've also written in general about HTTP/1.1 after implementing this server here.
About and-httpd
Simple
Configurable. Rewrites. Virtual hosts.
At it's simplest the webserver can be used from the command line like so:
% ./and-httpd foo-dir [Sep 20 21:20:05]: READY [0.0.0.0@8008]: foo-dir/
...which will start mapping requests to files under the specified "foo-dir" directory, using /etc/mime.types to specify the content-type of the resources and also automatically serving compressed versions of the resources if it is available as the resource name with ".gz" appended. Serving "large files" happens by default, if the system supports them. And if you are root you can use the --chroot option, which tries it's best to just work (doing a bind mount for /dev/log when in a chroot).
And-httpd accepts connection froma "local controller", allow the user to gracefully shutdown or take a list of the current network connections being serviced.
And-httpd also comes with an "extra mime.types" file which can be loaded providing content-type information for "non-standard" files like bittorrent, x-icon and OpenDocument
Configurable
It allows you to easily create "cool URLs", by using the per. file configuration files (which can also do most of the points desired of the "content manager" in chips). For instance, content can be negotiated by having the following file at the path in the request configuration directory:
(org.and.httpd-conf-req-1.0
(content-type-negotiate (text/plain '') (text/html .html))
(filename += <content-type-extension>))
...the per. request configuration can add Content-MD5, Content-Location, ETags (which will be honored in If-Match headers from clients) and more.
And-httpd will also do a number of things automatically, like automatically redirecting between directories and files or automatically redirecting "ugly" requests for index.html to the parent directory. It will also automatically redirect requests ending in common punctuation that don't match a file (so that if you paste a URL into an email and have a dor or comma at the end, it'll "just work").
Rewrites
While the rewrite capabilities aren't as powerful as mod_rewrite, they are much easier to do correctly. For example the following is in the default and-httpd.conf to remove extraneous trailing index.html in URLs:
(org.and.httpd-conf-main-1.0 match-request [path-end = / <directory-filename>] org.and.httpd-conf-req-1.0 Location: [limit <path>-end = <directory-filename>] '' return 301)
...another somewhat common need is to redirect all requests to another URL, which can be done like:
(org.and.httpd-conf-main-1.0 match-request [hostname-eq 127.0.0.1] org.and.httpd-conf-req-1.0 (Location: = http://localhost <url-path>) return 301)
Virtual hosts
Another command problem is hosting multiple domains on the same computer, this again can easily be accomplished even from the command line by doing:
% ./and-httpd --virtual-hosts foo-dir [Sep 20 21:20:05]: READY [0.0.0.0@8008]: foo-dir/
...now requests for "/x/y/z" on the host foo.example.com will be served via. the file "foo-dir/foo.example.com:8008/x/y/z"
And-httpd also comes with a few tools, including make_index.pl (which can make an index.html file for a diven directory) and gzip-r.pl (which will recursivly create compressed files for auto content-encoding to save bandwidth). There is also a utility to convert the and-httpd syslog lines into the apache-httpd style combined log format.
Fast
And-httpd uses the following system capabilities to quickly do it's work:
- Event multiplexing using either traditional APIs like poll() or newer APIs like epoll.
- Multi-process support, allowing it to scale with the number of CPUs it has available.
- Zero copy network output, using either sendfile() or mmap().
- TCP_CORK, to combine data as much as possible.
- TCP_DEFER_ACCEPT, to minimize empty network connections.
- TCP_CONGESTION, so you can control TCP behaviour for your network.
- posix_fadvise(), to speed up disk IO
- Vstr, to manage IO buffers.
It also does automatic gzip encoding negotiation (with pre-encoded data) and IO limiting for clients that don't allow encoded output (saving badiwdth). It automatically generates ETag's, and processes conditional GET's (saving bandwidth).
Due to the design, keep-alive is basically free, which also helps reduce latency and bandwidth.
Secure
Although written in C the code doesn't call simplistic "C string" functions, everywhere, so it isn't possible to create buffer overflows even if there is a logic problem.
% LC_ALL=C egrep '[^_.>a-zA-Z0-9](str(n?cpy|n?cat|xfrm|n?dup|str|pbrk|tok|_)|stpn?cpy|r?index[^.]|a?sn?printf|byte_)' src/*.c %
Unlike most other httpd servers and-httpd places strict limits on the number of nodes inside each header. Thus stopping exponential DOS attacks. It will also, by default, do checks before doing automatic directory redirects so it doesn't give away that empty directories exist (Ie. http://example.com/foo will not redirect to http://example.com/foo/ if that would just produce a 404 anyway).
While And-httpd can be configured to be more "compliant", it will by default reject requests which have:
- Encoded / characters in the URL-path
- Encoded . characters in the URL-path
- The sequence /./ in the URL-path
- The character / in the hostname
- Range requests of more than a single byterange (this is just ignored, and the rest of the request is processed)
- PUT/POST/CONNECT/etc. methods
- A content-type or content-language header without a content-length header.
- Any kind of payload. In other words a non-zero content-length, or a transfer encoding (other than identity) on a request.
- Any "extra" CR or LF characters in the hostname or URL-path.
- Any whitespace in a header name.
- Any repeating of HTTP/1.1 headers that aren't allowed to be repeated.
- A URL-path that ends in any of: .shtml ~ # .tmp .htaccess or .sconsign (or their compressed versions) -- enforced by the extra mime types file
- When virtual hosting is enabled, a hostname that isn't specifically allowed (this is actually encouraged by rfc2616)
...while some of these might make it "non-compliant" with rfc2616, no sane clients should be doing any of the above things.
And-httpd can also be configured to reject TRACE methods and HTTP/0.9 requests, although due to the lack of harm those are left enabled as a debugging aid.
And-httpd also has over 1.9MB of unit tests, which run from "make check" testing a significant portion of the above features. See the unit test coverage report.
And-httpd is also one of the few daemons that supports Linux socket filters
Security guarantee
Because I'm so sure that And-httpd is secure, I'm offering a "security guarantee" of $2,000 for proof that I'm wrong.
Obviously there are caveats:
- The guarantee is only that stable released versions of And-httpd (0.99.x and then 1.0.x, currently) cannot be compromised so that an attacker can execute arbitrary commands or read/write arbitrary data. For instance DOS attacks aren't included in the guarantee (although I'm pretty sure And-httpd is better than most in that regard the nature of network connected servers is that they are open to DOS attacks at some level).
- I only guarantee against remote attackers, so anything in the configuration that couldn't be expected to be put there by a "reasonable person who knows what they are doing" is not allowed (this is esp. true for information leak attacks, if it's a configuration issue it's not my problem).
- You have to have at latest the versions of Vstr, socket_poll and timer_q libraries required by the autoconf installer.
- The $2,000 is only available to the first person who provides a working attack (I'll allow a couple of weeks for you to demonstrate something that works like an attack you describe).
...on the "positive" side:
- You can run And-httpd as root, Ie. not using drop-privs.
- You can run And-httpd without using chroot.
- You can run And-httpd without system defenses like exec-shield and SELinux.
...although, obviously, feel free to add those as extra security layers on your live deployments.
Unsorted info.
Design is a statemachine triggering off IO events, somewhat like thttpd and boa (among others).
Simple tests with "ab" show it to be about twice as fast as thttpd-2.20c (note that thttpd doesn't support keep-alive, which gives and-httpd a significant advantage -- mainly due to usage of Vstr).
includes init.d file, and allows "local controller" connections for soft
restarts, status information etc.
DOES NOT:
Auto generate directory listings (see and-dir_list etc.)
SSI, or other file contents parsing (see and-ssi tool, and scons)
Run programs (doesn't call exec at all, only calls fork() at startup
for MP systems -- will be configurable).
Call any i18n/gettext libc functions (will be fixed).
Parse or honor the Accept-Charset header.
James Antill Last modified: Mon Sep 11 12:52:00 EDT 2006