1. 3

    Is there a comprehensive and/or up-to-date set of recommendations for simple, static HTTP servers anywhere?

    After years of trying to lock down Apache, PHP, CMSs, etc. and keep up to date on vulnerabilities and patches, I opted to switch to a static site and a simple HTTP server to reduce my attack surface and the possibility of misconfiguration.

    thttpd seems to be the classic option, but I’m a little wary of it due to past security issues apparent lack of maintainance (would be fine if it were “done”, but security issues make that less credible). I’m currently using darkhttpd after seeing it recommended on http://suckless.org/rocks

    Edit: I upvoted the third-party hosting suggestions (S3, CloudFlare, etc.) since that’s clearly the most practical; for personal stuff I still prefer self-hosted FOSS though :)

    1. 4

      If all you need is static http you don’t have to host it yourself. I host my blog in Amazon S3 (because I wanted to add SSL and GitHub didn’t support that last year) and for the last 13 months it’s costs me about $0.91 / month, and about two thirds of that is Route 53 :-)

      AWS gives you free SSL certificates, which was one of the main drivers for me to go with that approach.

      1. 3

        I use S3 / CloudFront for static HTTP content. It’s idiot proof (important for idiots like me!), highly reliable, and I spend less every year on it than I spend on a cup of coffee.

        The only real security risk I worried about was that someone could DDoS the site and run up my bill, but I deployed a CloudWatch alarm tied to a Lambda to monitor this. It’s never fired. I think at my worst month I used 3% of my outbound budget :)

        1. 1

          I’ve always wondered why AWS doesn’t provide a spending limit feature… it can’t be due to a technical reason, right? I know their service is supposed to be more complex, but even the cheapest VPS provider gives you this option, often enabled by default. I can only conclude they decided they don’t want that kind of customer.

          1. 1

            I also worried about the risk of “DDoS causing unexpexted cost” when I was looking for a place to host my private DNS zones. To me it appeared that the free Cloudflare plan (https://www.cloudflare.com/plans/) was the best fit (basically free unmetered service).

            Would using that same free plan be a safer choice than Cloudfront from a cost perspective?

          2. 3

            You’d be hard pressed to go wrong with httpd from the OpenBSD project. It’s quite stable, it’s been in OpenBSD base for a while now. It’s lack of features definitely keeps it in the simple category. :)

            There is also NGINX stable branch. it’s not as simple as OpenBSD’s option, but is stable, maintained and is well hardened by being very popular.

            1. 3

              In hurricane architecture, they used Nginx (dynamic caching) -> Varnish (static caching) -> HAProxy (crypto) -> optional Cloudfare for acceleration/DDOS. Looked like a nice default for something that needed a balance of flexibility, security, and performance. Depending on one’s needs, Nginx might get swapped for a simpler server but it gets lots of security review.

              I’ll also note for OP both this list of web servers.

            2. 1

              Check out this.

              1. 1

                Yeah, I also like this similar list, but neither provide value judgements about e.g. whether it’s sane to leave such things exposed to the Internet unattended for many years (except for OS security updates).

            1. 11

              A quick check of posix suggests PWD should always be exported.

              1. 8

                I get the feeling that POSIX compliance is not always a priority. For instance, I once pointed out that the ed(1) l(ist) command doesn’t print a ‘$’ at the end of each line. I don’t even qualify as a programming enthusiast, but it seems to me that this should be a simple enhancement. A poor fellow thought Theo approved of his fix (so did I, to be honest), but it was just a rebuke in his usual style, without further explanation [1].

                Since there’s a big overlap between crustaceans and OpenBSD developers, I’d be grateful to learn of the rationale for not touching this. Maybe the old-styled output for the list command is used in essential system scripts?

                [1] https://marc.info/?l=openbsd-misc&m=141679790528805&w=2

                1. 2

                  I’d be grateful to learn of the rationale for not touching this.

                  Perhaps because the person touching it didn’t bother trying to find out what it was backwards compatible with, and didn’t analyze why the code was there in the first place?

                  If it’s unclear why code is there, clear that up before deleting it.

              1. 5

                Is this legal in Europe? In Australia if not being tracked was considered legally to be a “common law right” it’s not possible to opt out of it.

                1. 7

                  I think we need to wait and see, as GDPR will go into effect on May 25 and probably a number of practices like this one will be challenged legally. I personally feel this give-your-consent-or-so-long approach is not in the spirit of the law.

                  1. 2

                    If it’s not legal, they’ll make it legal and sugar-coat it with GDPR in a way that’s impractical or infeasible to the users.

                    I hope Facebook users can combat this with addons, but as most users are mobile users, they surely lack the addons or the technical know-how to set it up.

                    Just opt out of Facebook already.

                    1. 10

                      I hope Facebook users can combat this with addons

                      At some point, the person being abused has to acknowledge that they are being abused, and choose to walk away.

                      1. 3

                        Yeah, just opt out. But sadly there are people who, say, expatriated and have no better way to stay in touch with old friends.

                        Until a viable replacement comes along, which may never happen, I think it’s a nice hope that they can find a way to concentrate on their use case without all the extra baggage.

                        1. 14

                          I am an expat.

                          I manage to keep in contact with the friends that matter, the same as I did when I didn’t use Facebook in a different state in my home country.

                          If they’re actually friends, you find a way, without having some privacy raping mega-corp using every conversation against you.

                          1. 3

                            Agreed, I don’t buy the argument that Facebook is the only way to keep in touch from afar.

                            I’m an expat, and I have regular healthy contact with my friends and loved ones from another continent, sharing photos and videos and prose. I have no Facebook account.

                      2. 2

                        I hope Facebook users can combat this with addons

                        Then this will happen: https://penguindreams.org/blog/discoverying-friend-list-changes-on-facebook-with-python/

                        Unfriend Finder was sent a cease and desist order and chose not to fight it. I made my own python script that did the same thing, and ironically, Facebooks changes the fixed the Cambridge Analytica issue broke my plugin. It stopped 3rd parties yes, but it also kept developers from having real API access to our own data.

                        I also wrote another post about what I really think is going on with the current Facebook media attention:

                        https://fightthefuture.org/article/facebook-politics-and-orwells-24-7-hate/

                      3. 1

                        You’re not forced to use Facebook. It looks like they’re following GDPR and capturing consent. It seems the biggest issue is the bundling of multiple things into one consent and not letting folks opt in or out individually.

                      1. 3

                        It doesn’t. Isn’t tab presentational? Like the way you may style the beginning of a paragraph? That’s all part of the style given by CSS. For tabular data on the other hand you have tables, and PRE for pre-formatted text.

                        1. 3

                          I think they mean tabs as in layout/windowing, not spaces.

                          1. 3

                            I was confused too. First I thought of tabs, as in \x09, the thing that shouldn’t be used when indenting source code. Then I thought of things that can be reached and navigated through when the TAB key is pressed, i.e., using tabindex, but finally realized this is about tabs to switch between windows (as in tabbed browsing)

                          1. 2

                            then uses UDT (a reliable protocol from the 2000s) instead of TCP (a reliable protocol from the 1970s).

                            It’s the first time I come across age in a comparison of UDT vs TCP. In any case it’s more like 1980 vs. 1974, no?

                            1. 4
                              1. 6

                                Oops, there goes my first comment in lobste.rs… Thanks for the clarification; I was thinking of UDP… and didn’t know about UDT!

                                1. 2

                                  Welcome aboard! Have a seat. If you see a blue lobster, please give it to me, thank you.

                                  1. 1

                                    Hey, don’t feel bad…your comment got some useful replies. :)

                                2. 2

                                  If you like UDT, check this application out:

                                  http://sector.sourceforge.net/

                                  Really shows what it can do given how they use it. :)

                                1. 1

                                  Mosh seems like such a cool idea, but whenever I’ve ever used it, I’ve not found it any more tolerant of disconnects or laptop sleeps than ssh is. I end up using tmux anyway, so, what’s the point?

                                  1. 5

                                    I’ve found mosh to be incredibly resilient, myself. I don’t think the point is to replace tmux. For example, every time I closed my laptop I’d lose my network and/or VPN connection and have to ssh / tmux attach again. With mosh I never needed to reconnect, ever. Even when I went home or whatever and found myself on a different network.

                                    1. 2

                                      Lots of people feel this way. Personally, I feel mosh is great, precisely used together with tmux or screen. It can disconnect for a few moments, sure, but it comes back by itself, unlike ssh. Also, ssh freezes the screen when the connection is bad, while mosh lets you keep writing. To me the fact that the connection is left running in the background is very convenient. I guess I don’t see any downsides, especially if you get scrolling through tmux, screen or similar.

                                      1. 2

                                        I sometimes have a few problems with a stale tmux session ending up causing visual hangs on the other clients.

                                      2. 2

                                        That’s the complete opposite to my experience. I’ve had a mosh session open now across VPN reconnects, through different sides of the country, in airplanes… and I just checked, for just over 40 days. How were you using it? How would it disconnect? Maybe your use case is different. I use mosh to connect to the server that I run screen on.

                                        1. 2

                                          It’s the opposite for me. It feels like a rather horific idea – it handles terminal drawing for me, breaks scrolling, is an ad-hoc screen syncing protocol, has hacks like guessing at what typing should do client side, and generally feels like it’s doing way too much.

                                          But it handles disconnects well, so I tolerate it for certain things. Although I keep finding myself considering going back to screen + ssh again. I really wish for something that handled disconnects as well, but didn’t do all the other junk. But I haven’t been bothered enough to write something like that yet.