From owner-freebsd-security  Fri Nov 20 17:30:01 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA19097
          for freebsd-security-outgoing; Fri, 20 Nov 1998 17:30:01 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA19089
          for <freebsd-security@FreeBSD.ORG>; Fri, 20 Nov 1998 17:29:57 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.1/8.9.1) id RAA19628;
	Fri, 20 Nov 1998 17:29:23 -0800 (PST)
	(envelope-from dillon)
Date: Fri, 20 Nov 1998 17:29:23 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199811210129.RAA19628@apollo.backplane.com>
To: Jeroen Ruigrok/Asmodai <asmodai@wxs.nl>
Cc: Per Kristian Hove <perhov@phys.ntnu.no>, freebsd-security@FreeBSD.ORG,
        Andrew McNaughton <andrew@squiz.co.nz>
Subject: Re: pkhttpd (Was: Would this make FreeBSD more secure?)
References:  <XFMail.981120210507.asmodai@wxs.nl>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

:>     so as clients conform to 1.1, the server is guarenteed the ability to 
:>     determine the virtual host from the Host: header rather then having to
:>     assign unique IP's to each virtual host.
:> 
:>     note(1): the server is required to return a failure code if the client
:>     says it is using HTTP/1.1 but does not supply a Host: mime header.
:
:OK, that's all cute ;)
:
:But how big would a fully functional HTTP 1.0 or 1.1 compliant server be?
:Because for embedded systems (read picoBSD) we need to make such decisions and
:based on the results implement them.
:
:*digs out the RFC specs...*

    If you don't use the fancier features it's fairly easy to write a web
    server.  Writing a scaleable web server is a different matter, but even
    so it isn't going to be all that big.

    A short list of optional features that you do not have to implement 
    include:

	byte serving (Range: header)

	persistent connections

	proxy functions

	content matching

    Common features you should/must deal with properly:  

	Handling missing trailing slashes properly (by returning a 
	redirect)

	code 100 processing (if implementing HTTP/1.1)

	Handling content-length, POST data

	Handling If-modified-Since

	Handling Authorization if you intend to password-protect
	the system using authorization mechanisms.

	Properly escaping input and output strings according to the spec.

						-Matt

:---
:Jeroen Ruigrok van der Werven/Asmodai
:asmodai(at)wxs.nl                   |  Cum angelis et pueris,
:Junior Network/Security Specialist  |  fideles inveniamur
:*BSD & picoBSD: The Power to Serve... <http://www.freebsd.org>
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-security" in the body of the message
:

    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message