You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Torge Riedel <to...@gmx.de> on 2015/11/29 14:12:20 UTC
[users@httpd] Architecture recommendations, tips, hints and help
Dear list,
I'm faced with the following "architecture" of an application:
- Linux Server (small VM) with MySQL-DB, accessible via SSL from outside of the server, access is limited to a set of users
- Client is a .NET-Application connecting to the DB with one user for each installation
since this is not a very good architecture from several point of views I am thinking about changing it:
- develop own Apache module offering REST services (one endpoint (resource part of url) for each operation)
- use JSON as data format for GET/POST requests
- let Apache handle SSL and authentication (authentication in the meaning of "general access" to the services)
- manage permissions to protected data in DB and handle authentication to access this data by the new Apache module
The decision to develop an Apache module instead of using Tomcat/Java is to avoid additional load on server, since Apache is already active. And I'm a C/C++ geek but not for Java. ;-)
Questions to the list:
- Am I one the right way?
- Is there something missing from the security point of view?
- Is there something pre-compiled for parsing JSON data in Apache modules (didn't find something, only Apache independent libs)
Thanks in advance
Torge
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Architecture recommendations, tips, hints and help
Posted by Torge Riedel <to...@gmx.de>.
Am 29.11.2015 um 23:00 schrieb Nick Kew:
> On Sun, 2015-11-29 at 10:05 -0500, Yehuda Katz wrote:
>> You might want to use CGI or FastCGI rather than an Apache module. You
>> can write CGI in any language, including C or C++ and there are
>> libraries that already implement FastCGI for both languages.
>> There are a few benefits of not using a module
>> - If you update Apache, you may need to make changes to the module,
>> but you shouldn't need to do that with CGI
>> - Any possible issue (security or otherwise) in your code won't affect
>> the whole server
>> - Your code will be portable to other web servers in case you ever
>> decide or are forced to switch
>
> I don't have anything really useful to tell the OP, but
> I have to take issue with the above.
> - You don't have to update modules for new apache versions.
> You will need to recompile, and you may need minor updates
> (depending on what APIs the module uses) when 2.6.x comes out
> but not within 2.4.
> - Even porting to other webservers with Apache-ish roots
> (including nginx, the other open source server that matters)
> should be fairly straightforward, as you can map between the
> two APIs - at least those the OP seems likely to want. Though
> since Apache has (by far) the richest API, you might have a
> few gaps to fill.
> - Have you ever tried porting CGI? It's a lot less portable
> in real life than in theory. Though I guess the biggest
> issue is if you want to support windows and anything-else.
> - As for security and other issues, if the OP is most at home
> in C then that's where he's (on balance) at least risk of
> screwing up.
>
Thanks a lot everybody.
I will focus on an Apache module, as I'm sure that updating apache (the normal update progress of fixes and patches) on a Linux server should not screw up the ABI. In addition, but this might be a reason of less knowledge on FastCGI, I can benefit from a lot of available stuff in Apache like DB connection pooling, etc.
Regards
Torge
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Architecture recommendations, tips, hints and help
Posted by Nick Kew <ni...@webthing.com>.
On Sun, 2015-11-29 at 10:05 -0500, Yehuda Katz wrote:
> You might want to use CGI or FastCGI rather than an Apache module. You
> can write CGI in any language, including C or C++ and there are
> libraries that already implement FastCGI for both languages.
> There are a few benefits of not using a module
> - If you update Apache, you may need to make changes to the module,
> but you shouldn't need to do that with CGI
> - Any possible issue (security or otherwise) in your code won't affect
> the whole server
> - Your code will be portable to other web servers in case you ever
> decide or are forced to switch
I don't have anything really useful to tell the OP, but
I have to take issue with the above.
- You don't have to update modules for new apache versions.
You will need to recompile, and you may need minor updates
(depending on what APIs the module uses) when 2.6.x comes out
but not within 2.4.
- Even porting to other webservers with Apache-ish roots
(including nginx, the other open source server that matters)
should be fairly straightforward, as you can map between the
two APIs - at least those the OP seems likely to want. Though
since Apache has (by far) the richest API, you might have a
few gaps to fill.
- Have you ever tried porting CGI? It's a lot less portable
in real life than in theory. Though I guess the biggest
issue is if you want to support windows and anything-else.
- As for security and other issues, if the OP is most at home
in C then that's where he's (on balance) at least risk of
screwing up.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Architecture recommendations, tips, hints and help
Posted by Yehuda Katz <ye...@ymkatz.net>.
You might want to use CGI or FastCGI rather than an Apache module. You can
write CGI in any language, including C or C++ and there are libraries that
already implement FastCGI for both languages.
There are a few benefits of not using a module
- If you update Apache, you may need to make changes to the module, but you
shouldn't need to do that with CGI
- Any possible issue (security or otherwise) in your code won't affect the
whole server
- Your code will be portable to other web servers in case you ever decide
or are forced to switch
Other than that, your idea sounds great.
- Y
On Sun, Nov 29, 2015 at 8:12 AM, Torge Riedel <to...@gmx.de> wrote:
> Dear list,
>
> I'm faced with the following "architecture" of an application:
>
> - Linux Server (small VM) with MySQL-DB, accessible via SSL from outside
> of the server, access is limited to a set of users
> - Client is a .NET-Application connecting to the DB with one user for each
> installation
>
> since this is not a very good architecture from several point of views I
> am thinking about changing it:
>
> - develop own Apache module offering REST services (one endpoint (resource
> part of url) for each operation)
> - use JSON as data format for GET/POST requests
> - let Apache handle SSL and authentication (authentication in the meaning
> of "general access" to the services)
> - manage permissions to protected data in DB and handle authentication to
> access this data by the new Apache module
>
> The decision to develop an Apache module instead of using Tomcat/Java is
> to avoid additional load on server, since Apache is already active. And I'm
> a C/C++ geek but not for Java. ;-)
>
> Questions to the list:
> - Am I one the right way?
> - Is there something missing from the security point of view?
> - Is there something pre-compiled for parsing JSON data in Apache modules
> (didn't find something, only Apache independent libs)
>
> Thanks in advance
> Torge
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Architecture recommendations, tips, hints and help
Posted by Marat Khalili <mk...@rqc.ru>.
> since this is not a very good architecture from several point of views
It would be helpful if you name these explicitly. While it is well known
that adding another level of indirection can solve any problem, it is
good to know what a problem is.
In any case, I also think CGI/WSGI/FCGI/HTTP
<https://ef.gy/fastcgi-is-pointless> is an easier and safer way than
building Apache module. JSON or not depends on data you have; it's ok
for small independent records.
--
With Best Regards,
Marat Khalili
On 29/11/2015 16:12, Torge Riedel wrote:
> Dear list,
>
> I'm faced with the following "architecture" of an application:
>
> - Linux Server (small VM) with MySQL-DB, accessible via SSL from
> outside of the server, access is limited to a set of users
> - Client is a .NET-Application connecting to the DB with one user for
> each installation
>
> since this is not a very good architecture from several point of views
> I am thinking about changing it:
>
> - develop own Apache module offering REST services (one endpoint
> (resource part of url) for each operation)
> - use JSON as data format for GET/POST requests
> - let Apache handle SSL and authentication (authentication in the
> meaning of "general access" to the services)
> - manage permissions to protected data in DB and handle authentication
> to access this data by the new Apache module
>
> The decision to develop an Apache module instead of using Tomcat/Java
> is to avoid additional load on server, since Apache is already active.
> And I'm a C/C++ geek but not for Java. ;-)
>
> Questions to the list:
> - Am I one the right way?
> - Is there something missing from the security point of view?
> - Is there something pre-compiled for parsing JSON data in Apache
> modules (didn't find something, only Apache independent libs)
>
> Thanks in advance
> Torge
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>