Show HN: unsafehttp – tiny web server from scratch in C, running on an orange pi

unsafehttp.benren.au

85 points by GSGBen 3 days ago

Hey HN, I wanted to get more familiar with C programming, *nix socket programming and C compilation, so I wrote this "web" ""server"". It's running on a tiny SBC in my office, and there's as little as possible between you and it.

Happy for you to try and break it, hopefully with something more interesting than a DoS though :) Please let me know if you find any issues.

nneonneo 2 days ago

If you want to make it actually decently safe, one approach would be to make a list of all the syscalls you critically need after you have loaded all the content in memory (strace can help), then write a seccomp filter to block all the others. Since you don’t need filesystem interaction or pretty much anything except socket I/O, your syscall allowlist can be pretty short. This will ensure that even if an attacker manages to exploit a bug (like a UAF) they’ll be dropped into a sandbox with very little useful functionality.

  • cenamus 2 days ago

    Or (if on openbsd), the pledge and unveil syscalls. Pretty similar effect, but much easier

JdeBP 2 days ago

You are lucky that all of your sample files have dots in their names. (-:

  • a1o 2 days ago

    I don't understand this, could you explain?

    • kjellsbells 2 days ago

      around line 663. there's a call to strrchr, checking for a period in the filename. then immediately after that, there's a strlen that uses the results.

      Which is fine, unless the first call returns NULL, because there was no period in the name, and then the program will crash.

      • JdeBP 2 days ago

        Much has been said about Daniel J. Bernstein eschewing the Standard C library in publicfile and other softwares. But Bernstein's str_rchr() function was designed to expressly avoid this well-known gotcha of the Standard C string functions.

        Here's str_rchr() which uses the offset of the terminating NUL as the returned sentinel value:

        * https://github.com/jdebp/djbwares/blob/trunk/source/str_rchr...

        And here's it being used (by publicfile's httpd and indeed other programs) to find the basename's extension in order to infer a content type:

        * https://github.com/jdebp/djbwares/blob/trunk/source/filetype...

        The extension is always a non-NULL string, that can always be passed to str_equal(). It is just sometimes a zero-length string.

        It's possible, but a bit clunky, to achieve the same effect with two successive calls to Standard C/C++ strrchr(), or strchr(), the second being:

                if (!result) result = std::strchr(s, '\0');
        Here's me doing that in my own code:

        * https://github.com/jdebp/nosh/blob/c8d635c284b41b483067d5f58...

        One can get very lost in the weeds on the comparative merits on different instruction architectures of compiler intrinsics, explicit loop unrolling, whole program optimization, and whatnot. (-:

      • GSGBen 2 days ago

        Oof, thanks.

gurjeet 2 days ago

> RFC 9112 is a fantastic document that details the exact format of HTTP 1.1 requests, how servers should respond to those requests ...

> This server follows almost none of that.

This made me chuckle :-)

  • sgbeal 2 days ago

    The comedy continues in the next paragraph:

    > Readers MUST NOT hold this against the project, and SHOULD use this as motivation to keep some of their own side projects fun and short.

    That's comedy gold, right there. (Tip: RFC-2119)

contingencies 2 days ago

Are you near Sydney? I noted a possible link to the Central Coast. I will contribute a smaller device if you're game to host it.

PS. You may be unaware that your shortened domain name 'benren' from your whois-available real name means "stupid person" in Mandarin. Only noted because there is a company registered with the same name since 1999. On the off chance it's yours, probably not the best marketing in a global world. Just throwing it out there.

  • nneonneo 2 days ago

    It could be self-deprecating! Plus, I would more readily read it as 本人 (this person/me/myself) - than as 笨人 (stupid person).

    Also, Pinyin is more susceptible to accidental interpretations than most writing systems due to ambiguity and tonality. For example, “mana” can be parsed into 32 different syllable-tone combinations (man/a or ma/na times 4x4 tone combinations for each syllable), and while most aren’t meaningful, that still gives you a ton of potential words to match against.

  • qskousen 2 days ago

    Almost everything is going to sound like something else in some other language, I don't know that there's much you can do about that. On the plus side, maybe the silly association will make the name stick in people's heads!

Hydraulix989 2 days ago

I saw the title, and this is everything I have ever hoped for.

rurban 2 days ago

I also have a tiny one, used in production with custom decompression and decryption for some IoT devices in the field, which push sensor updates to it. http 1.0 PUT only, multi-threaded and super efficient. One page only (about 50 lines or so). Pretty safe.

Joker_vD 2 days ago
 

    // it doesn't seem to love piping or redirecting output without this, even
    // with the newlines above
    fflush(stdout);
Ah, the full buffering mode. I believe it can be fixed by calling

    setvbuf(stdout, NULL, _IOLBF, BUFSIZ);
once at the start.

On the whole, it actually almost implements the minimally required amount of HTTP/1.1: I would suggest adding support for HEAD requests, it's just a single flag that you need to set in the try_parse_request_path(), and check in generate_response(). Also, probably check that the request path is followed by "HTTP/1." before sending the response? And I'd really recommend finishing reading out all of the request from the socket (that is, until you've seen "\r\n\r\n"), or you may run into the problem of your clients not being sent the complete response [0].

But other than that, yeah, it is an HTTP server. The HTTP protocol is decently well thought out so that you can be oblivious of most of the features you don't want to support.

[0] https://blog.netherlabs.nl/articles/2009/01/18/the-ultimate-... — the tl;dr is that if you do close() on a socket that still has the data from the client you haven't recv()d, the client will be sent an RST.

  • GSGBen 2 days ago

    Ah yep, I read about the TCP RST problem in one of the RFC docs, then promptly forgot about it and never implemented anything to avoid it. Thankyou for the detailed notes.

nullify88 2 days ago

Good to see more tiny / small http servers. I'm not a fan of sticking Nginx in a container which maybe bigger than the assets its serving. A statically compiled httpd from busybox has been great for this reason but its good to see more options.

nurettin 2 days ago

This should be a rite of passage: Read a sizeable RFC and make a passable implementation.

MelvinButtsESQ 2 days ago

Consider it broke. You are getting hugged to death by HN. Throw Cloudlfare in front.

SJC_Hacker 2 days ago

Easiest way to make it safe is

1) Run it in a container

2) Isolate it through a reverse proxy, probably nginx

  • integralid 2 days ago

    This doesn't make it safe. It can still be exploited and used to join a botnet, as a proxy, to mine cryptocurrency, to spy on requests or redirect users to malicious websites or phish them, to host malware...

    • SJC_Hacker a day ago

      Maybe but at least the damage is isolated … can always just restart container

      Also I’m curious how a bonnet can get through a container … outgoing connections should be blocked by default

  • antonvs 2 days ago

    3) Deploy on a cloud provider’s managed Kubernetes behind a WAF. Now it’s web scale!

GSGBen 2 days ago

Should be back up now with a very temporary workaround in place.

joncfoo 2 days ago

Doesn't seem to be up =\

  • GSGBen 2 days ago

    Found the issue - a use after free in send_response() if I close the session early due to an error. Was continuing to the next bit. Put a temp fix in place, will push a proper one later.

  • GSGBen 2 days ago

    Whoops, should be back up now. I'll have to check logs later to see why it went down.

    • eyjafjallajokul 2 days ago

      You're going to need a bigger host to support HN traffic :)

      • 201984 2 days ago

        What is it about HN that overwhelms small servers like this? It was a small static page so I wouldn't think it'd be that much load on the server itself, even for an OrangePi like this one.

        Too many simultaneous connections for his router maybe? Or too much bandwidth for his internet connection?

        • binaryturtle 2 days ago

          If they are behind a NAT/ stateful firewall there is just so much connections it will handle at once. I think OpenWRT has like 16K max by default, f.ex. So for less than 16K requests by different users/IPs… each is kept for about 1 minute I think… it quickly will go down, I guess. :)

          cat /proc/sys/net/netfilter/nf_conntrack_max

          Should give some details.

          • 201984 2 days ago

            Do you know if using the DMZ feature on most routers instead of port forwarding would get around this limit, or if there's any other way?

      • 1vuio0pswjnm7 2 days ago

        I wish submitters would try using .onion sites for small static pages, for example as an alternative URL

        Fewer source IPs

throwaway1492 2 days ago

Nice effort but this isn’t interesting at all. You skipped the most interesting part; parsing http. This is beejs networking tutorial with writing a file to a socket.

Harsh? Maybe, but you’re posting this to a site with some of the most talented developers on planet. Real talk, sorry.

  • bevhill 2 days ago

    I swear that the only thing that draws people to this industry is the desire to escape their home village. It certainly isn't the quality of conversation with like-minded tinkerers. It's just losers like you who think a big paycheck for playing with Jira means you're the smartest boy in the world. God help us.

  • bevr1337 2 days ago

    Shitty reply and this critique isn't helpful at all. You assumed the most interesting part; the thing you personally want.

    Harsh? Maybe, but you're posting this to a site with some of the most jaded developers on the planet. Not sorry.

  • RVuRnvbM2e 2 days ago

    Obviously you aren't one of them with an attitude like that.

  • 000ooo000 2 days ago

    Let's see throwaway1492's code

  • ethan_smith 2 days ago

    Even simple implementations serve as valuable learning exercises, and proper HTTP parsing could be the natural next step in the author's learning journey.

  • tom_ 2 days ago

    Parsing HTTP is entirely unnecessary. That's the web client's job.

    • integralid 2 days ago

      Do you mean parsing HTML? HTTP is the protocol they use to communicate, so both client and server must speak it. Or did I misunderstand you?