What do web servers such as Apache get me over just doing socket programming? Sure I have to do the work but MS charges hundreds of dollars for Win Server but I just don't see why it's so hard to do it yourself using sockets.

But then I notice most people use Apache or IIS so I must be missing something?

(Obviously I'm new to web programming)
Posted on 2005-02-16 13:19:23 by drhowarddrfine
Getting a simple httpd running shouldn't be much of a problem, howard. Weazel did one many years ago entirely in assembly.

The thing with apache and IIS is that they support af lof of things - database integration, scripting languages (most notably PHP and ASP, but others too), various security thingies, and what do I know.

If you only need to serve very simple static pages, you can go with a webserver of your own, or one of the simpler servers. If you need anything dynamic, I'd say go with one of the already existing servers.

Also, if you write your own, be VERY careful with security. I wouldn't write a webserver in assembly, and I'd think twice before writing it in C. I'd chose "non-heavy" C++, or an object-oriented paradigm in C (basically using "dynamic strings", and avoiding direct calls to str* functions and malloc/realloc/delete, to avoid buffer overflows and such.)
Posted on 2005-02-16 14:19:25 by f0dder
I once wrote a httpd in asm (MASM), its free (http://www.japheth.de/download/httpd.zip). It was written mainly as a toy, but it supports ISAPI and because it was really fun I wrote an ISAPI to support active scripting and, with the help of ADO, db access (http://www.japheth.de/download/jasp.zip).

But I somehow agree with f0dder, ASM is not the best language to write a httpd, and the asm server totally lacks security. It also creates a thread for every request (it has no thread pool), so not the best choice for heavy loads.
Posted on 2005-02-19 11:33:37 by japheth
Thanks guys. I was hoping you two would reply.

I just realized I haven't done any serious programming in two years and nothing for the past year. Depressing because I'm shocked at how much I've forgotten.

It also creates a thread for every request (it has no thread pool), so not the best choice for heavy loads.

Can you explain thread pool to me. Apache creates pools, too, but I don't know if they are the same as thread pools. I thought isapi created a new thread for each request. Do you know or is it different?

I'm starting to get the hang of Apache now. I was getting frustrated because I couldn't find the info I needed. Actually, it is there but I find it a little difficult to relate and find different parts of the info.
Posted on 2005-02-19 11:56:28 by drhowarddrfine
Here's a good article that answers my own questin:
Thread Pooling
Though the article is about C#, this page refers to threads and pooling in particular. It also talks about why Unix is better than Windows for this.
Posted on 2005-02-19 12:39:39 by drhowarddrfine
You could write your own thread pooler, ie, implement IOCP yourself.
I've thought about it more than once.
Posted on 2005-02-20 07:33:41 by Homer

The thing with apache and IIS is that they support af lof of things - database integration, scripting languages (most notably PHP and ASP, but others too),


Php and others are easy to support, all you have to do is use pipes and send data back and forth from user to installed php or asp, and have them do all the work. Only thing in apache I consider tricky to do is ssl.
Posted on 2005-05-22 22:58:47 by Webring
Pools and thread pools are similar but not the same.
You can pool resources like buffers and structures so that you "meter" their use.?
ie: Take a resource out of a pool, then later put it back in.
Thread pools are a little different in that work is usually handed to a thread pool and the pool does the work.
You dont actually put or take things with a thread pool.

Typically with IOCP you dont need a thread pool as the worker threads you create will typically be blocked
on the GetQueuedCompletionStatus call. Or thery should be.

Rgs, james.

ps- I have a library of such things that is growing and available here: www.jamesladdcode.com
    It a work in progress.
Posted on 2005-05-24 04:35:17 by James_Ladd
and 1 quick question: A database program (server?) like MySQL comes with a DLL with functions, that i can call to execute tasks like "select" etc.? ?right?? ?(this isn't very important for me to know right now, but it's just that i haven't got the time to check this myself yet, and I think that some of you guys have already played with it...? ignore this question, if you wish.)
Posted on 2005-05-24 18:24:26 by ti_mo_n
May be this can help (google tall me)

RFC 2818: http://www.faqs.org/rfcs/rfc2818.html
Abstract

  This memo describes how to use TLS to secure HTTP connections over
  the Internet. Current practice is to layer HTTP over SSL (the
  predecessor to TLS)
, distinguishing secured traffic from insecure
  traffic by the use of a different server port. This document
  documents that practice using TLS. A companion document describes a
  method for using HTTP/TLS over the same port as normal HTTP
  .


RFC 2246: http://www.faqs.org/rfcs/rfc2246.html
Abstract

  This document specifies Version 1.0 of the Transport Layer Security
  (TLS) protocol
. The TLS protocol provides communications privacy over
  the Internet. The protocol allows client/server applications to
  communicate in a way that is designed to prevent eavesdropping,
  tampering, or message forgery.


Check this link to read about SSL: http://www.windowsecurity.com/pages/article_p.asp?id=440 (at the bottom of the page you will find direct links to SSL specifications)

Kecol.-
Posted on 2005-05-24 22:42:31 by Kecol
Thanx, Kecol! I found only the second one (RFC 2246), and skipped looking thru any "TLS" stuff  :oops:

Thank you for your help :)
Posted on 2005-05-24 23:33:07 by ti_mo_n
1) how do i implement SSL/HTTPS (I couldn't find any RFC for it? )? ?(or maybe it has something to do with TLS, which i HAVE found?)

2) Is writing a server on Windows OS a clever idea if you plan a large-scale project? I'm talking about security. Is Windows equally secure (for example: equally difficult to crash it remotely) to UNIX/LINUX ? And if 'yes' - then why most servers are NOT for Windows?

and 1 quick question: A database program (server?) like MySQL comes with a DLL with functions, that i can call to execute tasks like "select" etc.? ?right?? ?(this isn't very important for me to know right now, but it's just that i haven't got the time to check this myself yet, and I think that some of you guys have already played with it...? ignore this question, if you wish.)


1. SSL Secure Socket Layer is hard to implement but once implements HTTPS is just receiving HTTP packets over the SSL connection.
Have a look at things like openSSL for info on SSL and its implementation.

2. I have chosen to write a scalable server on Windows because it support IO completion ports which is a nice low level IO mechanism.
? ?The traditional socket stuff I have done for unix/linux is not as event driven. You have to "select"/poll on handles to find out what event is happening.
? ? Windows will call you back. There is also a handle limit in unix/linux for select, but this may have changed recently. Im looking into this too.
? ? As far as security goes, well the current "feeling" is that unix/linux is more secure, but its just a matter of market penetration.
? ? If everyone used linux, then I guess there would be more exploits and more publicity about them.

3. Yes, you can use the MySQL API's in C and assembler to talk to the MySQL database.

I hope this helps.

rgs, james.
Posted on 2005-05-25 03:46:38 by James_Ladd
Thanx James_Ladd for your answers :D
Posted on 2005-05-25 07:38:05 by ti_mo_n
James, how is your iocp project coming along?
What I saw looked like early days..

Posted on 2005-05-26 03:41:39 by Homer
EvilHomer2k,
The project is coming along ok. Time is the issue as I cut code all day too :)
This is my first assembler project as well.
I have a lot of snippets that do other things like scavenging connections, pooling threads and buffers etc etc
but I only add these bit by bit to the main program so that if something does wrong I have a good handle on
what it might be. Small changes.
Im keen to complete the full server with plugin support so I can get onto another project that I need it for.
Rgs, james.
Posted on 2005-05-26 04:23:17 by James_Ladd

Is writing a server on Windows OS a clever idea if you plan a large-scale project? I'm talking about security. Is Windows equally secure (for example: equally difficult to crash it remotely) to UNIX/LINUX ?

I would say yes - if you make sure to disable the services you don't use, and have proper patches applied. And if you're behind a firewall and only forward the necessary ports (you should ALWAYS have your servers behind a firewall), then it's completely secure; there are win2k servers with more than a year of uptime.

The reason most servers aren't on windows? One reason would be that the typical windows server is IIS which has had a number of problems. Another would be elitism and ignorance.

Be careful if you're doing server programming in assembly... it's way too easy to fall prey to buffer overflows et cetera.
Posted on 2005-05-27 07:22:12 by f0dder
We are probably in the best position to guage that kind of danger.
MASM coders - note the publicised overflows in masmLIB please !!
I've implemented one antiDoS so far in my Banked socket engine, which is a timeout on clients who connect and never send a single byte of data.
The first packet sent by a client must fit the protocol standard, or we cull the client.
Tonight I'll be adding an idle kill for clients which connect, send at least one protocol packet, then become zombies... that's the two main DoS attacks sorted out, and note my server doesn't hang on clients that havent sent data - it accepts on zero bytes received.
I'd like to initiate a formal discussion on these matters, but I'm unsure who I am talking down to, and who I can learn from in this regard..
Posted on 2005-05-27 08:28:50 by Homer

We are probably in the best position to guage that kind of danger.

Yes and no... assembly programmers *should* know enough about the low-level workings and mechanisms used for exploiting software flaws, but many are totally ignorant of these matters. The language also makes safe string and buffer management quite tedious, not to mention all the correct error checkings.


MASM coders - note the publicised overflows in masmLIB please !!

I would change this to "programmers - stay away from the m32lib". Double-free bugs, handle leaks, inefficiencies - which will never be fixed. But that's an entirely different matter.

Homer, another couple things to add would be dropping new connections from an IP if there's "too many" connections already from that IP. There's not much you can do if the attacker is in control of a 1000-host zombie net, though :(
Posted on 2005-05-27 12:59:19 by f0dder
Homer,
I think its great your adding these features to your stuff.
Im not sure of the "all connections from one host" thing suggested by Fodder. I wouldnt cull a connection because of this.
Some routers and firewalls may appear as comming from one host.
Rgs James.
Posted on 2005-05-27 18:35:43 by James_Ladd

Im not sure of the "all connections from one host" thing suggested by Fodder. I wouldnt cull a connection because of this.
Some routers and firewalls may appear as comming from one host.

You need to set the limit somewhat high to handle NAT'ed networks, and you should of course make the limit configurable in the server. However, I'd say that more than ~10 hosts connecting from one IP is a misconfigured network...

Of course you have to consider the type of service. HTTP connections are usually short-lived, and you can accept more queries from one IP (many httpds, especially involved with serving large files, only accept 1-3), ftp connections might accept a bit more, and IM protocols tend to be even more long-lived.

But still - too many connections from an IP means either an attack, a badly configured network, or a restricted network. Restricted networks (campuses, uni labs, etc.) generally only want you to access a few things, and badly configured networks are the responsibility of the network admin. So do brace yourself...
Posted on 2005-05-27 19:41:59 by f0dder