Server-side:
The Server

Parke Godfrey
28 September 2012
CSE-2041

Credits

These slides are based in part on ones from the following sources.

• Prof. Hamzeh Roumani, CSE2041

The HTTP Session

• stateless

  • Keep the HTTP Daemon (server program) stateless.

  • Will use database services, etc., to affect state.

• high concurrency

  • Many clients with open HTTP sessions at the same time.

• short sessions

  • A session may still be longer than what we want...

    E.g., keep-alive, lots of silly images, ...

    E.g., video!!!

  • What to do about this?

The Daemon Loop

• bind

• listen

• fork

---

Important! The server is listening for other processes while servicing existing sessions.

However, there is a limit to the number of open sessions.

Serving Static Content

1. Listen on port 80.

2. Fork to handle when an HTTP request arrives.

3. Extract the path/file from the URL.

4. Check whether file exists.
   If not, return status 404.

5. Check whether File is reachable & readable (chmod).
   If not, return status 403.

6. Determine the content type.

7. Return with status 200 (OK) and a type header.

8. Serve file as the payload.

9. Close HTTP session.
   Or, on keep-alive, wait brief time for another request.

HTTP Status / Response Codes

Status codes are part of the HTTP protocol.

1. 100 series
   • Sessional update from server.
2. 200 series
   • Success!
3. 300 series
   • Redirect.
4. 400 series
   • Client error.
5. 500 series
   • Server error.

LAMP
a common Web-server stack

• Linux
• Apache
• MySQL, Derby, ...
• PHP, Perl, Python, Ruby, ...

Serving Static Content
other considerations

• Availability via fork‐and‐serve.

• Confidentiality via HTTPS on port 443

• Authentication via .htaccess and 401.

• Client‐Side caching: 304

• Request is a directory.

  • No slash at end: 301. Else, serve welcome file (if any).

  • ls (if directory readable)

  • Else, 403.

• Refresh for redirecting and fake‐pushing.

Types of Dynamic Content

• different payload / same URL

  • Can deliver different content for the same URL, depending on who asks.

• server-side pre-processing

  • PHP

  • server-side includes

• server-side programs: CGI (Common Gateway Interface)

  • Server executes a program, and sends the output of the program to the client.

Serving Dynamic Content
CGI

Same as static up to Step #4. 

5. Check that file is reachable.  (Readable not needed!)
   If not, return status 403.

6. Masquerade as file owner.

7. Check that file is executable by owner.
   If not, return status 500.

8. Run the file and capture its output.

9. Check the validity of the output.

   1. Not valid? Return status 500.

   2. Valid? Return status 200 (OK), and the output as the payload.

Building a Server

Hey, this looks easy!

• Server code can be quite short!
  (Client code? Not so much...!)

  • An “httpd” in python (226 lines of code).

• “Engineering” issues are what is hard.

  • Scalability is hard.

  • Must design carefully what to serve from where.

  • Security can be tricky.

  • Do not serve anything that shouldn't be.

  • Programs on the server-side must be well behaved.