And-HTTPD

Current version is 0.99.11

NOTE that this software requires the Vstr, socket_poll and timer_q libraries.

Note that this software currently has a $2,000 "security guarantee".

I've also written in general about HTTP/1.1 after implementing this server here.

About and-httpd

Simple. Fast. Secure.

Simple

Configurable. Rewrites. Virtual hosts.

At it's simplest the webserver can be used from the command line like so:

% ./and-httpd foo-dir
[Sep 20 21:20:05]: READY [0.0.0.0@8008]: foo-dir/

...which will start mapping requests to files under the specified "foo-dir" directory, using /etc/mime.types to specify the content-type of the resources and also automatically serving compressed versions of the resources if it is available as the resource name with ".gz" appended. Serving "large files" happens by default, if the system supports them. And if you are root you can use the --chroot option, which tries it's best to just work (doing a bind mount for /dev/log when in a chroot).

And-httpd accepts connection froma "local controller", allow the user to gracefully shutdown or take a list of the current network connections being serviced.

And-httpd also comes with an "extra mime.types" file which can be loaded providing content-type information for "non-standard" files like bittorrent, x-icon and OpenDocument

Configurable

It allows you to easily create "cool URLs", by using the per. file configuration files (which can also do most of the points desired of the "content manager" in chips). For instance, content can be negotiated by having the following file at the path in the request configuration directory:

; Negotiate language and content
; Ie. request is http://foo/bar.c and this file is at
;  /<req-conf-dir>/bar.c And-httpd will serve either
;  /<docroot>/bar.c as text/plain or /<docroot>/bar.c.html as text/html
(org.and.httpd-conf-req-1.0
  (content-type-negotiate (text/plain '') (text/html .html))
  (filename += <content-type-extension>))

...the per. request configuration can add Content-MD5, Content-Location, ETags (which will be honored in If-Match headers from clients) and more.

And-httpd will also do a number of things automatically, like automatically redirecting between directories and files or automatically redirecting "ugly" requests for index.html to the parent directory. It will also automatically redirect requests ending in common punctuation that don't match a file (so that if you paste a URL into an email and have a dor or comma at the end, it'll "just work").

Rewrites

While the rewrite capabilities aren't as powerful as mod_rewrite, they are much easier to do correctly. For example the following is in the default and-httpd.conf to remove extraneous trailing index.html in URLs:

; Match http://localhost/index.html and redirect to http://localhost/
(org.and.httpd-conf-main-1.0
   match-request [path-end = / <directory-filename>]
     org.and.httpd-conf-req-1.0
       Location: [limit <path>-end = <directory-filename>] ''
       return 301)

...another somewhat common need is to redirect all requests to another URL, which can be done like:

; Redirect all requests for the localhost IP to localhost
(org.and.httpd-conf-main-1.0
   match-request [hostname-eq 127.0.0.1]
     org.and.httpd-conf-req-1.0
      (Location: = http://localhost <url-path>)
       return 301)

Virtual hosts

Another command problem is hosting multiple domains on the same computer, this again can easily be accomplished even from the command line by doing:

% ./and-httpd --virtual-hosts foo-dir
[Sep 20 21:20:05]: READY [0.0.0.0@8008]: foo-dir/

...now requests for "/x/y/z" on the host foo.example.com will be served via. the file "foo-dir/foo.example.com:8008/x/y/z"

And-httpd also comes with a few tools, including make_index.pl (which can make an index.html file for a diven directory) and gzip-r.pl (which will recursivly create compressed files for auto content-encoding to save bandwidth). There is also a utility to convert the and-httpd syslog lines into the apache-httpd style combined log format.

Fast

And-httpd uses the following system capabilities to quickly do it's work:

It also does automatic gzip encoding negotiation (with pre-encoded data) and IO limiting for clients that don't allow encoded output (saving badiwdth). It automatically generates ETag's, and processes conditional GET's (saving bandwidth).

Due to the design, keep-alive is basically free, which also helps reduce latency and bandwidth.

Secure

Although written in C the code doesn't call simplistic "C string" functions, everywhere, so it isn't possible to create buffer overflows even if there is a logic problem.

% LC_ALL=C egrep '[^_.>a-zA-Z0-9](str(n?cpy|n?cat|xfrm|n?dup|str|pbrk|tok|_)|stpn?cpy|r?index[^.]|a?sn?printf|byte_)' src/*.c
%

Unlike most other httpd servers and-httpd places strict limits on the number of nodes inside each header. Thus stopping exponential DOS attacks. It will also, by default, do checks before doing automatic directory redirects so it doesn't give away that empty directories exist (Ie. http://example.com/foo will not redirect to http://example.com/foo/ if that would just produce a 404 anyway).

While And-httpd can be configured to be more "compliant", it will by default reject requests which have:

...while some of these might make it "non-compliant" with rfc2616, no sane clients should be doing any of the above things.

And-httpd can also be configured to reject TRACE methods and HTTP/0.9 requests, although due to the lack of harm those are left enabled as a debugging aid.

And-httpd also has over 1.9MB of unit tests, which run from "make check" testing a significant portion of the above features. See the unit test coverage report.

And-httpd is also one of the few daemons that supports Linux socket filters

Security guarantee

Because I'm so sure that And-httpd is secure, I'm offering a "security guarantee" of $2,000 for proof that I'm wrong.

Obviously there are caveats:

...on the "positive" side:

...although, obviously, feel free to add those as extra security layers on your live deployments.


Unsorted info.

    Design is a statemachine triggering off IO events, somewhat like thttpd and boa (among others).
     Simple tests with "ab" show it to be about twice as fast as thttpd-2.20c (note that thttpd doesn't support keep-alive, which gives and-httpd a significant advantage -- mainly due to usage of Vstr).

     includes init.d file, and allows "local controller" connections for soft
    restarts, status information etc.

    DOES NOT:
      Auto generate directory listings (see and-dir_list etc.)

      SSI, or other file contents parsing (see and-ssi tool, and scons)

      Run programs (doesn't call exec at all, only calls fork() at startup
                    for MP systems -- will be configurable).

      Call any i18n/gettext libc functions (will be fixed).

      Parse or honor the Accept-Charset header.

James Antill
Last modified: Mon Sep 11 12:52:00 EDT 2006