locking down newlisp webserver

Started by tom, January 28, 2008, 10:05:04 AM

Previous topic - Next topic

tom

Howdy guys,



I'd like to use newlisp to serve cgi webpages on a public server.  Can anyone offer any advise as to how to make it as secure as possible?  The -http option won't work because it doesn't allow cgi.  I compiled and tested a binary with NOCMD but it had the same effect.  Restricting access to a single directory would be great.  How would I go about that, any ideas?



thag bew berry butch.

:)

Lutz

#1
QuoteThe -http option won't work because it doesn't allow cgi


running a newLISP server using the -http option does support CGI. On Unix in any scripting language and on Win32 in newLISP (*). But when running on a public server I would use the Apache web-server and CGI based on newLISP scripts. This is how http://newlisp.org">http://newlisp.org and http://unbalanced-parentheses.nfshost.com/">http://unbalanced-parentheses.nfshost.com/ and http://neglook.com">http://neglook.com are running.



What you need to compile/install on the server is a newLISP binary, to which the newLISP cgu scripts can refer and let newLISP do the work of formatting and generating webpages, connect to databases etc.



Lutz



(*) newLISP running as a webserver using the -http option is great for smaller installations behind a firewall and where all the configuration support of bigger servers like Apache is not necessary.

cormullion

#2
I test my CGI scripts on my local machine using a persistent newlisp process:



sudo newlisp -http -d 80 -w ~/Sites/blah/index.cgi



but when I upload them they run using Apache.



I gather that the key to happy CGI-ing lies in the various permissions of the files and directories, rather than in your scripts. The idea is, I gather, to make sure that the web browsers can read and execute, that the cgi scripts can write only to specific locations, and that only you, the owner, can do the maintenance. How it's all done is mostly beyond me but nfshost.com have set it up quite well for me...

tom

#3
Quote from: "Lutz"
running a newLISP server using the -http option does support CGI. On Unix in any scripting language and on Win32 in newLISP (*). But when running on a public server I would use the Apache web-server and CGI based on newLISP scripts. This is how http://newlisp.org">http://newlisp.org and http://unbalanced-parentheses.nfshost.com/">http://unbalanced-parentheses.nfshost.com/ and http://neglook.com">http://neglook.com are running.



What you need to compile/install on the server is a newLISP binary, to which the newLISP cgu scripts can refer and let newLISP do the work of formatting and generating webpages, connect to databases etc.


I understand that; I've got two sites running just that way except they're running lighttpd instead of apache (lighttpd is lighter, faster, and a whole lot easier to configure than apache).  I'll have to try again with newlisp and the -http option--I'm not sure what I could have done wrong for it not to work.



Of course I can do cgi the "normal" way.  I just want to give newlisp a page to serve for fun.  It already works great here on my own box.  I suppose I'll give up if newlisp as a webserver can't be made internet safe,  but I'm not trying to make a workhorse out of it, or trying to replace a real web server, I'm just amusing myself.

Lutz

#4
You can use a configuration file loaded with the newLISP server to configure it further for more security.


newlisp http-conf.lsp -http -d 80 -w /usr/home/www

or when running on a Unix box with inetd:


newlisp http-conf.lsp -http -w /usr/home/www



There is a sample http-conf.lsp in /usr/share/newlisp/util when installed on Unix or in the source distribition in the util directory.



It shows how to send an error page on certain forbidden filenames and how to send a 'Location:' header back on directories missing the trailing '/'.



You need knowledge about the HTTP prococol to use this file, but it has the potential to do any configuration you want.



Also, when running on Unix you should run your server via the inetd or xindetd demon. This allows you to handle bigger loads, as the inetd demon will start a new server on every incoming request.



Lutz