Introducing OpenBSD's new httpd [pdf]

197 点作者 fcambus大约 10 年前

20 条评论

xiaq大约 10 年前

So... Apache was removed from base on Mar 14 2014 in favor of nginx, and nginx on Aug 27 2014 in favor of OpenBSD httpd.For sysadmins who closely follow the "recommended" way, having to migrate the configurations of the http server twice within half a year must have been a frustrating experience.Also, I wonder what "removal from base" means exactly - can you still install them (the OpenBSD-patched versions) from the ports collection or something like that?

评论 #9202444 未加载

评论 #9202234 未加载

评论 #9204510 未加载

jacquesm大约 10 年前

I've been going through the code for the last half hour and I really hope this isn't representative of what the OpenBSD group considers to be defensive C programming.Stack allocated buffers, questionable logic and a generally terrible style as well as a complete lack of comments.Don't take my word for it, see for yourself:<a href="https://github.com/reyk/httpd/blob/master/httpd/server.c" rel="nofollow">https://github.com/reyk/httpd/blob/master/httpd/server.c</a>The "new" is a bit off too, the copyright runs 2006-2015.

评论 #9202325 未加载

评论 #9202164 未加载

评论 #9202179 未加载

评论 #9202763 未加载

评论 #9202259 未加载

评论 #9202175 未加载

评论 #9204529 未加载

marc_omorain大约 10 年前

Is there a technical reason why you would implement HTTPS in a HTTP server? If you ran a separate process on port 443 to terminate SSL connections, and then proxy that request to a HTTP server running locally, there would be better separation of concerns.For example, this setup would mean that a security flaw in the HTTP server that allowed a user to read memory would not be able to read any private keys used in the HTTPS server.I guess some downsides would be some extra latency while the request is proxied, and some extra memory overhead for the second process.I'm interested in anyones thoughts on this.

评论 #9202721 未加载

评论 #9204127 未加载

评论 #9202685 未加载

评论 #9202932 未加载

评论 #9203173 未加载

评论 #9203677 未加载

评论 #9204050 未加载

zx2c4大约 10 年前

I love these guys:<a href="https://github.com/reyk/httpd/blob/master/httpd/server_http.c#L802-L804" rel="nofollow">https://github.com/reyk/httpd/blob/master/httpd/server_http....</a>

评论 #9203507 未加载

评论 #9204518 未加载

评论 #9203251 未加载

detaro大约 10 年前

Supports TLS using LibreSSL, serves static files and FastCGI.<a href="https://github.com/reyk/httpd/issues?q=label%3Afeaturitis+is%3Aclosed" rel="nofollow">https://github.com/reyk/httpd/issues?q=label%3Afeaturitis+is...</a>featuritis tag in die bugtracker for currently denied features. Clearly aiming for as simple as possible while being useful.

评论 #9203009 未加载

评论 #9202358 未加载

评论 #9202142 未加载

fcambus大约 10 年前

Slides are available here : <a href="http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf" rel="nofollow">http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pd...</a>

ezequiel-garzon大约 10 年前

If I may take this opportunity... Does anybody know what I'm supposed to put in /etc/ssl/server.crt for SSL encryption? I have concatenated all six possible permutations of my own certificate ssl.crt, the intermediate certificate sub.class1.server.ca.pem and the root certificate ca.pem, but this gives me the error The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) (my Ubuntu Chrome gives me a green lock, though). Feel free to visit my blank site <a href="https://ezequiel-garzon.net" rel="nofollow">https://ezequiel-garzon.net</a>Thanks!

评论 #9202555 未加载

评论 #9202275 未加载

评论 #9202566 未加载

andor大约 10 年前

FastCGI: The protocol provides the single and fast interface to serve dynamic contentThat's a bad choice in my opinion. Without reverse proxy functionality httpd can't match the flexibility of nginx.

评论 #9202411 未加载

评论 #9202272 未加载

评论 #9202183 未加载

评论 #9202318 未加载

评论 #9204555 未加载

captaintod大约 10 年前

Surprised that nobody has mentioned ashd yet: <a href="http://www.dolda2000.com/~fredrik/ashd/" rel="nofollow">http://www.dolda2000.com/~fredrik/ashd/</a>

jalfresi大约 10 年前

Does anyone know if the FastCGI implementation is complete i.e. it supports FastCGI processes in all three roles; Responder, Authorizer and Filter? I've always wanted to use FastCGI more but most implementations (in Apache and Nginx at least) only support some of those roles (or require work arounds using server specific features; i.e. apache filters rather than FastCGI filters)

评论 #9202455 未加载

davidgerard大约 10 年前

I read the config file format and I fell in love.I really hope this gets the portable treatment.

jnazario大约 10 年前

[update - i read the back story elsewhere and the reason is less boneheaded than i had assumed. still, i think the community needs to focus on higher priority needs and gaps]this is the sort of thing that makes me happy i'm no longer involved in the OpenBSD world. httpd & previously smtpd are two replacements that (in my opinion) have little additive value beyond existing, community-adopted solutions (e.g. nginx and postfix), diluting effort where it is needed.does the world need a new httpd? maybe. but the world needs other replacement software to be done first because it'll have a greater impact.for example, OpenBSD could invest time and effort in maturing static code analyzers to assist in code audits (especially of ports).i suspect this new httpd was done less because it was needed and more because it could be done. that's the attitude i disagree with.

评论 #9203751 未加载

评论 #9202896 未加载

评论 #9203180 未加载

评论 #9203111 未加载

评论 #9202556 未加载

joosters大约 10 年前

OpenBSD seems to have caught a bad case of the 'not invented here' sickness. If they didn't like where nginx was going, why not just fork it and have a working web server with a known codebase? The forks would diverge but they could still grab fixes from nginx whenever they wanted to.

评论 #9202522 未加载

评论 #9202328 未加载

cturner大约 10 年前

What would be the elegant way to implement websockets on the new openbsd arrangement? Would it be to use relayd instead of httpd? Or is websocketd suitable for the openbsd base?

评论 #9204904 未加载

floatboth大约 10 年前

Why do they even have an httpd in base? They like to say they're smaller and simpler than FreeBSD, but FreeBSD doesn't include a web server in base!

评论 #9202473 未加载

评论 #9202300 未加载

评论 #9204459 未加载

dyoder大约 10 年前

Did OpenBSD just standardize on an HTTP server they wrote in 2 weeks, has no tests, doesn't fully implement the spec…and then brag about it?

评论 #9205230 未加载

mdekkers大约 10 年前

any performance benchmarks in the wild?

kymywho大约 10 年前

Https authentication support for Subversion could be the killer feature.

vacri大约 10 年前

Why use a name that's already in use as a general descriptor? At least the other httpds have names that can be used to differentiate them: <a href="http://en.wikipedia.org/wiki/Httpd" rel="nofollow">http://en.wikipedia.org/wiki/Httpd</a>

评论 #9205018 未加载

评论 #9219923 未加载

评论 #9203754 未加载

amelius大约 10 年前

I'm amazed we still use configuration files like that. Why not have some capable programming language (python, javascript) handle the configuration? This would let one more naturally describe things, and will eventually reduce the possibility of obscure configuration commands that do one very specific thing, and hence lead to frustration when the user needs something slightly different. Using a programming language, one could even configure using callbacks, etc. and is much more flexible.

评论 #9202975 未加载

评论 #9208703 未加载

评论 #9202769 未加载