Show HN: unsafehttp – tiny web server from scratch in C, running on an orange pi (opens in new tab)

(unsafehttp.benren.au)

87 pointsGSGBen7mo ago52 comments

Hey HN, I wanted to get more familiar with C programming, *nix socket programming and C compilation, so I wrote this "web" ""server"". It's running on a tiny SBC in my office, and there's as little as possible between you and it.

Happy for you to try and break it, hopefully with something more interesting than a DoS though :) Please let me know if you find any issues.

52 comments

nneonneo7mo ago

If you want to make it actually decently safe, one approach would be to make a list of all the syscalls you critically need after you have loaded all the content in memory (strace can help), then write a seccomp filter to block all the others. Since you don’t need filesystem interaction or pretty much anything except socket I/O, your syscall allowlist can be pretty short. This will ensure that even if an attacker manages to exploit a bug (like a UAF) they’ll be dropped into a sandbox with very little useful functionality.

cenamus7mo ago

Or (if on openbsd), the pledge and unveil syscalls. Pretty similar effect, but much easier

lionkor7mo ago

I've got a similar one, but with http 1.0 and partial 1.1 support, multi threaded, etc. in C

https://GitHub.com/lionkor/http

rwmj7mo ago

Here's one I wrote 25 years ago that was actually used in production for about a decade. For reasons, it ran on a server with 128MB of RAM and served a web/JS chat server for a large number of schools in England.

http://git.annexia.org/?p=rws.git;a=tree

GSGBenOP7mo ago

Noice!

JdeBP7mo ago

You are lucky that all of your sample files have dots in their names. (-:

a1o7mo ago

I don't understand this, could you explain?

kjellsbells7mo ago

around line 663. there's a call to strrchr, checking for a period in the filename. then immediately after that, there's a strlen that uses the results.

Which is fine, unless the first call returns NULL, because there was no period in the name, and then the program will crash.

2 more replies

gurjeet7mo ago

> RFC 9112 is a fantastic document that details the exact format of HTTP 1.1 requests, how servers should respond to those requests ...

> This server follows almost none of that.

This made me chuckle :-)

sgbeal7mo ago

The comedy continues in the next paragraph:

> Readers MUST NOT hold this against the project, and SHOULD use this as motivation to keep some of their own side projects fun and short.

That's comedy gold, right there. (Tip: RFC-2119)

contingencies7mo ago

Are you near Sydney? I noted a possible link to the Central Coast. I will contribute a smaller device if you're game to host it.

PS. You may be unaware that your shortened domain name 'benren' from your whois-available real name means "stupid person" in Mandarin. Only noted because there is a company registered with the same name since 1999. On the off chance it's yours, probably not the best marketing in a global world. Just throwing it out there.

nneonneo7mo ago

It could be self-deprecating! Plus, I would more readily read it as 本人 (this person/me/myself) - than as 笨人 (stupid person).

Also, Pinyin is more susceptible to accidental interpretations than most writing systems due to ambiguity and tonality. For example, “mana” can be parsed into 32 different syllable-tone combinations (man/a or ma/na times 4x4 tone combinations for each syllable), and while most aren’t meaningful, that still gives you a ton of potential words to match against.

qskousen7mo ago

Almost everything is going to sound like something else in some other language, I don't know that there's much you can do about that. On the plus side, maybe the silly association will make the name stick in people's heads!

chuckadams7mo ago

Considering how much of even the English-speaking world is using a version control system named git…

Hydraulix9897mo ago

I saw the title, and this is everything I have ever hoped for.

Joker_vD7mo ago

    // it doesn't seem to love piping or redirecting output without this, even
    // with the newlines above
    fflush(stdout);

Ah, the full buffering mode. I believe it can be fixed by calling

    setvbuf(stdout, NULL, _IOLBF, BUFSIZ);

once at the start.

On the whole, it actually almost implements the minimally required amount of HTTP/1.1: I would suggest adding support for HEAD requests, it's just a single flag that you need to set in the try_parse_request_path(), and check in generate_response(). Also, probably check that the request path is followed by "HTTP/1." before sending the response? And I'd really recommend finishing reading out all of the request from the socket (that is, until you've seen "\r\n\r\n"), or you may run into the problem of your clients not being sent the complete response [0].

But other than that, yeah, it is an HTTP server. The HTTP protocol is decently well thought out so that you can be oblivious of most of the features you don't want to support.

[0] https://blog.netherlabs.nl/articles/2009/01/18/the-ultimate-... — the tl;dr is that if you do close() on a socket that still has the data from the client you haven't recv()d, the client will be sent an RST.

GSGBenOP7mo ago

Ah yep, I read about the TCP RST problem in one of the RFC docs, then promptly forgot about it and never implemented anything to avoid it. Thankyou for the detailed notes.

rurban7mo ago

I also have a tiny one, used in production with custom decompression and decryption for some IoT devices in the field, which push sensor updates to it. http 1.0 PUT only, multi-threaded and super efficient. One page only (about 50 lines or so). Pretty safe.

nullify887mo ago

Good to see more tiny / small http servers. I'm not a fan of sticking Nginx in a container which maybe bigger than the assets its serving. A statically compiled httpd from busybox has been great for this reason but its good to see more options.

nurettin7mo ago

This should be a rite of passage: Read a sizeable RFC and make a passable implementation.

MelvinButtsESQ7mo ago

Consider it broke. You are getting hugged to death by HN. Throw Cloudlfare in front.

mwcremer7mo ago

Reminds me of Jef Poskanzer’s micro_http: https://acme.com/software/micro_httpd/

SJC_Hacker7mo ago

Easiest way to make it safe is

1) Run it in a container

2) Isolate it through a reverse proxy, probably nginx

integralid7mo ago

This doesn't make it safe. It can still be exploited and used to join a botnet, as a proxy, to mine cryptocurrency, to spy on requests or redirect users to malicious websites or phish them, to host malware...

SJC_Hacker7mo ago

Maybe but at least the damage is isolated … can always just restart container

Also I’m curious how a bonnet can get through a container … outgoing connections should be blocked by default

antonvs7mo ago

3) Deploy on a cloud provider’s managed Kubernetes behind a WAF. Now it’s web scale!

GSGBenOP7mo ago

Should be back up now with a very temporary workaround in place.

p0w3n3d7mo ago

I would expect GitHub page. The server seems down

2019847mo ago

It had a link to the GitHub page while it was still up.

https://github.com/GSGBen/unsafehttp

joncfoo7mo ago

Doesn't seem to be up =\

GSGBenOP7mo ago

Found the issue - a use after free in send_response() if I close the session early due to an error. Was continuing to the next bit. Put a temp fix in place, will push a proper one later.

GSGBenOP7mo ago

Still seems to have an issue, but no output before the crash. Will have to do some more debugging. Thanks for the test HN!

Source is here btw: https://github.com/GSGBen/unsafehttp/blob/main/src/main.c

Retr0id7mo ago

hotfixing httpd UAFs is peak HN spirit :)

GSGBenOP7mo ago

Whoops, should be back up now. I'll have to check logs later to see why it went down.

eyjafjallajokul7mo ago

You're going to need a bigger host to support HN traffic :)

2 more replies

throwaway14927mo ago

Nice effort but this isn’t interesting at all. You skipped the most interesting part; parsing http. This is beejs networking tutorial with writing a file to a socket.

Harsh? Maybe, but you’re posting this to a site with some of the most talented developers on planet. Real talk, sorry.

bevhill7mo ago

I swear that the only thing that draws people to this industry is the desire to escape their home village. It certainly isn't the quality of conversation with like-minded tinkerers. It's just losers like you who think a big paycheck for playing with Jira means you're the smartest boy in the world. God help us.

bevr13377mo ago

Shitty reply and this critique isn't helpful at all. You assumed the most interesting part; the thing you personally want.

Harsh? Maybe, but you're posting this to a site with some of the most jaded developers on the planet. Not sorry.

RVuRnvbM2e7mo ago

Obviously you aren't one of them with an attitude like that.

000ooo0007mo ago

Let's see throwaway1492's code

ethan_smith7mo ago

Even simple implementations serve as valuable learning exercises, and proper HTTP parsing could be the natural next step in the author's learning journey.

roominator7mo ago

nah this is pretty cool

tom_7mo ago

Parsing HTTP is entirely unnecessary. That's the web client's job.

integralid7mo ago

Do you mean parsing HTML? HTTP is the protocol they use to communicate, so both client and server must speak it. Or did I misunderstand you?

1 more reply

j / k navigate · click thread line to collapse

52 comments

nneonneo7mo ago

cenamus7mo ago

Or (if on openbsd), the pledge and unveil syscalls. Pretty similar effect, but much easier

lionkor7mo ago

I've got a similar one, but with http 1.0 and partial 1.1 support, multi threaded, etc. in C

https://GitHub.com/lionkor/http

rwmj7mo ago

http://git.annexia.org/?p=rws.git;a=tree

GSGBenOP7mo ago

Noice!

JdeBP7mo ago

You are lucky that all of your sample files have dots in their names. (-:

a1o7mo ago

I don't understand this, could you explain?

kjellsbells7mo ago

around line 663. there's a call to strrchr, checking for a period in the filename. then immediately after that, there's a strlen that uses the results.

Which is fine, unless the first call returns NULL, because there was no period in the name, and then the program will crash.

2 more replies

gurjeet7mo ago

> RFC 9112 is a fantastic document that details the exact format of HTTP 1.1 requests, how servers should respond to those requests ...

> This server follows almost none of that.

This made me chuckle :-)

sgbeal7mo ago

The comedy continues in the next paragraph:

> Readers MUST NOT hold this against the project, and SHOULD use this as motivation to keep some of their own side projects fun and short.

That's comedy gold, right there. (Tip: RFC-2119)

contingencies7mo ago

Are you near Sydney? I noted a possible link to the Central Coast. I will contribute a smaller device if you're game to host it.

nneonneo7mo ago

It could be self-deprecating! Plus, I would more readily read it as 本人 (this person/me/myself) - than as 笨人 (stupid person).

qskousen7mo ago

chuckadams7mo ago

Considering how much of even the English-speaking world is using a version control system named git…

Hydraulix9897mo ago

I saw the title, and this is everything I have ever hoped for.

Joker_vD7mo ago

    // it doesn't seem to love piping or redirecting output without this, even
    // with the newlines above
    fflush(stdout);

Ah, the full buffering mode. I believe it can be fixed by calling

    setvbuf(stdout, NULL, _IOLBF, BUFSIZ);

once at the start.

But other than that, yeah, it is an HTTP server. The HTTP protocol is decently well thought out so that you can be oblivious of most of the features you don't want to support.

GSGBenOP7mo ago

Ah yep, I read about the TCP RST problem in one of the RFC docs, then promptly forgot about it and never implemented anything to avoid it. Thankyou for the detailed notes.

rurban7mo ago

nullify887mo ago

nurettin7mo ago

This should be a rite of passage: Read a sizeable RFC and make a passable implementation.

MelvinButtsESQ7mo ago

Consider it broke. You are getting hugged to death by HN. Throw Cloudlfare in front.

mwcremer7mo ago

Reminds me of Jef Poskanzer’s micro_http: https://acme.com/software/micro_httpd/

SJC_Hacker7mo ago

Easiest way to make it safe is

1) Run it in a container

2) Isolate it through a reverse proxy, probably nginx

integralid7mo ago

SJC_Hacker7mo ago

Maybe but at least the damage is isolated … can always just restart container

Also I’m curious how a bonnet can get through a container … outgoing connections should be blocked by default

antonvs7mo ago

3) Deploy on a cloud provider’s managed Kubernetes behind a WAF. Now it’s web scale!

GSGBenOP7mo ago

Should be back up now with a very temporary workaround in place.

p0w3n3d7mo ago

I would expect GitHub page. The server seems down

2019847mo ago

It had a link to the GitHub page while it was still up.

https://github.com/GSGBen/unsafehttp

joncfoo7mo ago

Doesn't seem to be up =\

GSGBenOP7mo ago

Found the issue - a use after free in send_response() if I close the session early due to an error. Was continuing to the next bit. Put a temp fix in place, will push a proper one later.

GSGBenOP7mo ago

Still seems to have an issue, but no output before the crash. Will have to do some more debugging. Thanks for the test HN!

Source is here btw: https://github.com/GSGBen/unsafehttp/blob/main/src/main.c

Retr0id7mo ago

hotfixing httpd UAFs is peak HN spirit :)

GSGBenOP7mo ago

Whoops, should be back up now. I'll have to check logs later to see why it went down.

eyjafjallajokul7mo ago

You're going to need a bigger host to support HN traffic :)

2 more replies

throwaway14927mo ago

Nice effort but this isn’t interesting at all. You skipped the most interesting part; parsing http. This is beejs networking tutorial with writing a file to a socket.

Harsh? Maybe, but you’re posting this to a site with some of the most talented developers on planet. Real talk, sorry.

bevhill7mo ago

bevr13377mo ago

Shitty reply and this critique isn't helpful at all. You assumed the most interesting part; the thing you personally want.

Harsh? Maybe, but you're posting this to a site with some of the most jaded developers on the planet. Not sorry.

RVuRnvbM2e7mo ago

Obviously you aren't one of them with an attitude like that.

000ooo0007mo ago

Let's see throwaway1492's code

ethan_smith7mo ago

Even simple implementations serve as valuable learning exercises, and proper HTTP parsing could be the natural next step in the author's learning journey.

roominator7mo ago

nah this is pretty cool

tom_7mo ago

Parsing HTTP is entirely unnecessary. That's the web client's job.

integralid7mo ago

Do you mean parsing HTML? HTTP is the protocol they use to communicate, so both client and server must speak it. Or did I misunderstand you?

1 more reply

j / k navigate · click thread line to collapse