From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,27c24ba68e621eef X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news3.google.com!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.megapath.net!news.megapath.net.POSTED!not-for-mail NNTP-Posting-Date: Thu, 30 Jun 2005 20:41:54 -0500 From: "Randy Brukardt" Newsgroups: comp.lang.ada References: Subject: Re: AWS applications and domain hosting Date: Thu, 30 Jun 2005 20:45:00 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.50.4927.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200 Message-ID: <6OqdnTq7ecT_AlnfRVn-rA@megapath.net> NNTP-Posting-Host: 64.32.209.38 X-Trace: sv3-80NBOkpzST0IYhJWx/IheKiUrcYYaneYDUqFPsRCH4WO7ouGzkDN7E5SGpv9exzu1+BQJ+COjmAufLA!Kkpw+DW9OP/ennmfMitKF6M1NgNtxb0ca2SFK5q15+1X/1o25AfrUDufDxGqGCuKtlO9moGbg2cW X-Complaints-To: abuse@megapath.net X-DMCA-Complaints-To: abuse@megapath.net X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.32 Xref: g2news1.google.com comp.lang.ada:11796 Date: 2005-06-30T20:45:00-05:00 List-Id: "Jacob Sparre Andersen" wrote in message news:m23bqzcrew.fsf@hugin.crs4.it... > Randy Brukardt wrote: ... > > While Apache is a fine program, if you're doing light-duty work (and > > almost all web programs outside of Google are light-duty), an > > all-Ada solution will perform adequately and will be much less > > likely to break. After all, I believe in security by not having > > unused services on the system. Generalized systems like Apache > > simply provide too many "features" of little value to be > > safe. "Turning off" unused services via a configuration file is much > > less safe (someone could rewrite the configuration file) than not > > having the services around in the first place. And every additional > > program will provide an additional failure point. > > Changing the configuration file is slightly easier than dumping in a > modified binary - but not so much that I think it is a fair critique. > > Still, you're right that with a system like Apache you're more likely > to have a few more features activated than you need. - On the other > hand; you reduce the risk of implementing new security holes, when you > use code more people have looked at, and my web server would still be > off-line, if I had had to implement it using AWS instead of just > installing and configuring Apache [1]. In one sense, I'd say it would be hard to argue. But in another sense, I rather disagree. HTTP is a fairly simple protocol. Since there is no state, it's pretty hard for it alone to be a security hole. Secondly, when your application is written in Ada (and you haven't suppressed checks), the opportunties for bugs causing trouble are quite small. Most bugs in the AdaIC.com server simply result in a message in the main log and a connect reset - not a security hole. So that only leaves systematic problems. For pure file serving, the only real problem is serving files that are outside of the web root. That isn't too hard to prevent (you do have to look for funny sequences of ".."), and anything unusual can just be rejected (unlike Apache's authors, I *know* that there aren't going to be any files with names including funny characters on our web site!). The real security problems come from the advanced stuff that you write, but you'll have those issues in any case if you've written using AWS. (Well, the worst problems come from Apache running Perl and PHP stuff, but you probably won't do that.) Of course, if you have to share the system as you mentioned, certainly use Apache as a front-end; it's certainly better than not writing your stuff in Ada in the first place. But if not, you can certainly run an all-Ada web server as I do for AdaIC.com -- it runs several domains, the spotlight server, and the Ada search engine without making much a dent in the machine. (Only the last takes much CPU time.) Randy.