BCHS: OpenBSD, C, httpd and SQLite web stack

I&#x27;d be fine with this, even totally on-board, if C weren&#x27;t so awful with respect to text. You don&#x27;t even have to worry too much about free()ing your malloc()s if you design around short-lived processes. But this is just asking for security concerns among the tangled web of string and input processing your bespoke C routines are likely to develop into.<p>Pair it with a better, more modern, and safer native-compiled language and get the same effect. Zig, Nim, Go, hell even Carp.

SQLite author is an avid Tcl user and he recently introduced a small, secure and modern CGI based web application called wapp [1],[2].<p>[1] Wapp - A Web-Application Framework for TCL:<p><a href="https:&#x2F;&#x2F;wapp.tcl.tk&#x2F;home" rel="nofollow">https:&#x2F;&#x2F;wapp.tcl.tk&#x2F;home</a><p>[2] EuroTcl2019: Wapp - A framework for web applications in Tcl (Richard Hipp):<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=nmgOlizq-Ms" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=nmgOlizq-Ms</a>

It seems pretty crazy to write web-facing apps in C, with no memory safety at all.<p>(They do have &quot;pledge&quot; but even in the most restricted case, this still leaves full access to database)

Writing C might be challenging for some, but as others have mentioned, one can use some other language which gives a statically linked binary to place in the httpd chroot. It won’t be BCHS then.<p>For uptime.is I’ve used a stack which I’ve started calling BLAH because of LISP instead of C.

People love to talk all sorts of trash on this kind of stack but it&#x27;s really quite solid for what it does. If anyone was ever curious what a sizeable codebase in this kind of code would even look like, check out the source code for undeadly.org [1]. Yeah these people may be crazy but they&#x27;re also OpenBSD developers and we really love to see what we can get away with using nothing other than what&#x27;s available in the base distribution. I think a lot of what you see being written for production ends up being very similar to this kind of approach, maybe just utilizing rust or golang as the web application backend language if that&#x27;s what is the more comfortable thing. Nothing but the base system and a single binary, not relying on an entire interpreter stack, sure can be smooth.<p>There&#x27;s other examples of this kind of approach, too, writing straight C Common Gateway Interface web applications in public-facing production use - What comes to mind is the version control system web frontend that the people who write wireguard use, cgit [2] - If it&#x27;s really so crazy then how come the openbsd and wireguard people - presumably better hackers than you - are just out there doing it?<p>Other places you see C web application interfaces include in embedded devices (SCADA, etc) and even the web interfaces for routers, which unfortunately ARE crazy because check out all the security problems! Good thing people at our favorite good old research operating system have done the whole pledge(2)[3] syscall to try and mitigate things when those applications go awry - understanding this part of the whole stack is probably key to seeing how any of it makes any sense at all in 2022. It sure would be nicer if those programs just crashed instead of opening up wider holes. Maybe we can hope these mitigations and a higher code quality for limited-resource device constraints all become more widespread.<p>[1] <a href="http:&#x2F;&#x2F;undeadly.org&#x2F;src&#x2F;" rel="nofollow">http:&#x2F;&#x2F;undeadly.org&#x2F;src&#x2F;</a> [2] <a href="https:&#x2F;&#x2F;git.zx2c4.com&#x2F;cgit&#x2F;" rel="nofollow">https:&#x2F;&#x2F;git.zx2c4.com&#x2F;cgit&#x2F;</a> [3] <a href="https:&#x2F;&#x2F;learnbchs.org&#x2F;pledge.html" rel="nofollow">https:&#x2F;&#x2F;learnbchs.org&#x2F;pledge.html</a>

Another great stack for writing C (or now python) is <a href="https:&#x2F;&#x2F;kore.io" rel="nofollow">https:&#x2F;&#x2F;kore.io</a> which offers quite a few helper features, and its easy to get started

&gt; How do I pronounce BCHS?<p>I think the correct pronunciation is “Breaches”. Using C in this place as other have mentioned is very, very likely to lead to security issues. Even C++, with its better string handling would be a step up.

I remember writing a lot of early web stuff in Perl&#x2F;CGI. The &quot;servers&quot; I wrote were fast. Perl had most things you could desire built in already.<p>Database stuff took a good deal of doing, but with little in terms of abstraction, it was also quite fast.<p>I would like to see a rennescance of using different protocols than HTTP and different content markup than HTML.

Interesting CGI content linked on there.<p>I&#x27;ve been reading about &#x2F; hacking on CGI recently, and it&#x27;s been kinda fun!<p>Question: One thing I keep reading is how inefficient it is to start a new process for each incoming connection. Could someone explain to me why that&#x27;s such a bottleneck? I imagine it being an issue back when CGI was used everywhere, people moving away from CGI, and forgetting about it. But hasn&#x27;t there been improvements in the meantime? Computers from today can run circles around those from a few decades back. Has everything improved except the speed &#x2F; efficiency of starting a new process?<p>(I don&#x27;t have a computer science background, but I guess you could already tell from the above.)

Lots of opinions but little facts in the comment. I&#x27;d love to see an experiment with people using that and their preferred web stack. Is this really slower to develop? By how much? Is this really unsecure? Is this really simpler, faster?

I’d like to love man pages but<p>- I feel that they are linux only. On my MacOS system I can’t rely on man x being the man page for the right version of x. I know that in principle there are environment variables that make sure i’m getting the gnu core utils version or the base homebrew version rather than the system BSD version, but it’s too many moving parts. Furthermore even if I get it right, I can’t expect people I’m working with or mentoring to get it right, hence I can’t recommend man to them for documentation. God knows about man pages on Windows.<p>- I feel that a small amount of plain text documentation should be stored in the executable, not separately. Isn’t it a holdover from the vastly more constrained computing environments of the 70s and 80s that we’re keeping man pages separate from the executable? Its just asking to get out of sync &#x2F; incorrectly paired up.

s&#x2F;C&#x2F;NIM<p>Why don’t more folks use NIM for web development. Seems like the perfect blend of performance, ergonomics and productivity.

I have written web applications in a lot of languages, including C. C was the worst.

What a coincidence! Lovely topic, even registered account for this :-)<p>I _just_finished_ my own comparative benchmarks to (re)check my projects from ~7 years ago, all in similar stack.<p>Back then I wrote the logic as Apache modules, in C. It was using Cairo to draw charts (surprisingly, the traces of trigonometry knowledge was enough for me to code that :-), and I had absolutely crazy &quot;hybrids&quot; of bubble charts with bars, alpha channel overlays etc. It was extremely useful for my projects back then and I never seen any library, able to produce what I &quot;tailored&quot; ...)<p>The 7-years-ago end-to-end page generation time was ~300 mcs (1e-6 sec), with graphics, data store IO and request processing, preparing the &quot;bucket brigade&quot; and passing it down the Apache chain.<p>This Jan I re-visited my code and implemented logic for OpenBSD httpd as:<p>** 1) Open BSD httpd &quot;patch&quot; to hijack the request processing internally, do necessary data and graph ops and push the result into Bufferevent buffer directly, before httpd serves it up to the client.<p>** 2) FCGI responder app, talking to httpd over unix socket. <i>BTW</i>: this is <i>most</i> secure version I know of, I could chroot &#x2F; pledge &#x2F; unveil and, IMO, it beats SELinux and anything else.<p>3) CGI script in ksh&lt;=&gt;slowcgi&lt;=&gt;FCGI=&gt;httpd<p>4) CGI program (statically linked) in pure C&lt;=&gt;slowcgi&lt;=&gt;FCGI=&gt;httpd<p>5) PHP :-) page (no frameworks)&lt;=&gt;php-fpm (with OpCache)&lt;=&gt;FCGI=&gt;httpd<p>To my extreme surprise, the outcome was clear - <i>it did not matter</i> what I wrote my logic in, _anything today_ (including CGI shell script) is so fast, that 90% of time was spent on Network communication between the WebServer and the Browser. (And with TLS it is like 2x penalty ...)<p>All options above gave me end-to-end page generation time about 1-1.5 ms.<p>Guess what? Beyond &quot;Hello World&quot;, with page size of 500Kb+, PHP was faster than anything else, including native &quot;httpd patch&quot; in C.<p>As side effect, I also confirmed that Libevent-based absolutely gorgeous OpenBSD httpd works slightly slower than standard pre-fork Apache httpd from pkg_add. (It gave me sub-ms times, just like 7 years ago)<p>Who would say ...<p>What also happened is that <i>any</i> framework (PHP or I even tried nodejs) or writing CGI in Python increased my end-to-end page generation time 10x, to double-digit ms.<p>I remember last week someone here was talking about writing business applications &#x2F; servers for clients in C++, delivering them as single executable file.<p>I would be very interested to hear how that person&#x27;s observations correlate with mine above.<p>G&#x27;day everyone!

Is anyone using this for anything? I&#x27;d love to know!

for this old environment, why not perl but C?

Parsing untrusted input in C never hurt anyone, did it?

If you&#x27;re going to promote a stack, try at least to showcase all its components in the <i>first</i> example you give. Where is the SQLite part in your &quot;BSD, C, httpd, SQLite&quot; ? <a href="https:&#x2F;&#x2F;learnbchs.org&#x2F;easy.html" rel="nofollow">https:&#x2F;&#x2F;learnbchs.org&#x2F;easy.html</a><p>Hello world apps don&#x27;t mean much.

This feels like an unreasonable eschewing of all the advancements in programmer ergonomics &amp; tooling that have been made over the course of decades.<p>&quot;Just because you can, doesn&#x27;t mean you should.&quot;