bkiahg has asked for the wisdom of the Perl Monks concerning the following question:

Hello Wise, Venerable Monks,

I come again seeking out your wisdom on all things perl. I am using a webserver as a front end for my perl applications and need to make sure that it is secure. I only want it to accept connections locally and ignore all outside requests. Below I only define the local requests but I'm unsure if this is enough to prevent outside connections.

Unfortunately I only have one pc on this network also to test. Any information from someone with more experience working with HTTP::Daemon would be greatly appreciated. Thank you! 
use HTTP::Daemon;
use HTTP::Status;
require 'C:\\rrships\\default.cgi';

  my $d = HTTP::Daemon->new(Listen    => 5,
                                 LocalAddr => 'localhost',
                                 LocalPort => 80,
                                 Proto     => 'tcp') or die "Can't bin
+d : $@\n";
  # print "Please contact me at: <URL:", $d->url, ">\n";
  while (my $c = $d->accept) {
      while (my $r = $c->get_request) {
          # print $r->url->path . "\n";
          if ($r->method eq 'GET') {
              my $response = HTTP::Response->new(200);
              $response->content(&Hello_World($r->url->path, $r->url->
+query));
              $response->header("Content-Type" => "text/html");
              $c->send_response($response);
          }
          else {
              $c->send_error(RC_FORBIDDEN)
          }
      }
      $c->close;
      undef($c);
  }

[download]

Replies are listed 'Best First'.
Re: HTTP::Daemon Security Question
by jeffa (Bishop) on Jan 06, 2009 at 17:38 UTC

    Questions like these confuse me. Why are you not using Apache? Seems to me you could easily solve your problems by just using Apache and configuring it accordingly: 

    Order deny,allow
Deny from all
Allow from 127.0.0.1

    [download]
    Am i missing something? :/

    jeffa

    L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)
[reply]
[d/l]
      I've never used Apache and I needed a lightweight front end for my applications. This was the simplest form I could find and if I can get it to not accept outside connections it will be perfect for what I need.

      How large is Apache? The smaller the install file the better. How hard is it to configure correctly? If I recall correctly Apache is a great program, but it has a steep learning curve to properly set up. How well does it perform on windows? Never heard of anyone running it on a regular windows box (xp, 2000). Maybe its very common, just never had any personal experience with it.

      So in summation, I am using this because:
      • I love perl and will always opt for an all perl solution!
      • In 19 lines of code I have found a perfect solution to what I was looking to do.
      • I am ignorant on the procedures of Apache
      • Too lazy to educate myself for this particular project.. lol.

      So if there is a strong reason that I am unaware of that I should be using Apache, please let me know. I want to do this correctly, but am unaware of what I am unaware of.
[reply]

        "So if there is a strong reason that I am unaware of that I should be using Apache, please let me know."

        Because it has already been written, tested, standardized, industry approved and backed. It runs just fine on Windows, but I have yet to find a compelling reason to not use Linux for this type of application. Linux and Apache got the market first -- Microsoft is too busy figuring how to control their users for me to consider paying for their product. Apache is free. Linux servers are cheap.

        I too love Perl, but if I am writing a web application -- and that's pretty much all i do these days -- i am going to use Apache to handle what your 19 lines does. Sure, it's bigger -- but once you learn how to use it you can apply that knowledge to many more existing web applications written by a vast array of scruffy hackers.

        Use the right tool for the right job. And if your 19 lines is the right tool then there you have it. Just realize you didn't need to even write those 19 lines. Apache does all of that. And thanks to packages like xampp installation and configuration just gets easier and better.

        jeffa

        L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)
[reply]
Re: HTTP::Daemon Security Question
by zentara (Cardinal) on Jan 06, 2009 at 17:28 UTC
    I don't think it's secure in the way you think. Just because you use localhost as the server address, dosn't mean it won't accept connections from the internet.

    You can add some more safety though. I havn't tested this, but the perldoc says that "The "HTTP::Daemon::ClientConn" is a "IO::Socket::INET" subclass.". So you should be able to use IO::Socket::INET's peeraddr to get the address of the client 

    my $peeraddress = $c->peeraddr();
# check if they are in an allowed list

    [download]
    I'm not really a human, but I play one on earth Remember How Lucky You Are
[reply]
[d/l]
      Just because you use localhost as the server address, dosn't mean it won't accept connections from the internet.
      I think you're wrong about that. I just did a quick check and when using localhost as server address, netstat shows 
      [user@rack tmp]$ sudo netstat -tnlp | grep :80
tcp        0      0 127.0.0.1:80              0.0.0.0:*               
+    LISTEN      6634/perl

      [download]
      which means it will only accept connections coming in on the localhost IP. Packets going to port 80 from the external IP won't reach this server.
[reply]
[d/l]
        which means it will only accept connections coming in on the localhost IP. Packets going to port 80 from the external IP won't reach this server.

        That's true as far as it goes, but it would still be a good idea to check the remote address.

        It's possible, depending on your system config, to get a packet coming from the outside aimed at 127.0.0.1. And of course there's no guarantee that the system you're running on hasn't been misconfigured so that 'localhost' ends up giving you an accessible IP.

[reply]
Re: HTTP::Daemon Security Question
by eye (Chaplain) on Jan 07, 2009 at 08:34 UTC
    Security is not an absolute. If the security of this server is important, you should implement multiple layers of protection. This might include any or all of: TCP wrappers, disabling an ssh server, local packet filtering (iptables/ipfw), a firewall protecting the network segment, and armed guards patrolling the facility. If one layer of security fails, you are (hopefully) protected by the other layers. Take a holistic approach. Remember that your application isn't secure if the host isn't secure.
[reply]

Back to Seekers of Perl Wisdom