SUMMARY: Which httpd to run?

From: Lenny Turetsky (lturetsk@econ.yale.edu)
Date: Sat Feb 25 1995 - 07:44:37 CST


First, the original question:

I vaguely recall that there is more than one httpd available on the
net (CERN's and NCSA's).

Which is the better/safer one to run? I've heard that one of them has
recently been found to have a security hole, but that doesn't matter
if you run it under chrootuid (which I will).

Could someone give me reasons for choosing one rather than the other
(security, speed, reduced resource consumption, etc.)? Basically, what
I'm looking for is the httpd equivalent of wu-ftpd (i.e., *the* httpd
to run).

Thanks, and, as usual, I'll summarize.

LT

PS I thought I remembered seeing something about this recently, but I
   couldn't find it at http://aurora.latech.edu/, so ...

-----------------------------------------------------------------------

Now, for the credits:

"Dick St.Peters" <stpeters@NetHeaven.com>
"Ashwin P. Rao" <ashwin@cadence.com>
Jon Piesing <jon@prl.philips.co.uk>
greiml@explorer.Uni-Trier.DE (Alexander Greiml)
Roland Yeo <roland@technet.sg>
thill@mmts.eds.com (tommy hill)
Richard Pieri <ratinox@unilab.dfci.harvard.edu>
Alexander Haiut <alx@black.bgu.ac.il>
Veselin Terzic <terzic@mda.ca>
Dave Fetrow <fetrow@biostat.washington.edu>
Mark Allyn (206) 860-9454 <allyn@allyn.com>

My thanks to all.

-----------------------------------------------------------------------

The "conclusion:"

The short version is that NCSA's daemon is "lighter" (uses less memory
and resources), while CERN's is more secure and full-featured (the
value of those features isn't too obvious to me, but it may be one of
those things you don't see until you try using it).

The CERN daemon can also function as a proxy server on firewalled
nets, but that's not a concern here.

There are also other daemons, but most of those cost money. ;-<

Take a look at: http://www.w3.org/hypertext/WWW/Daemon/Overview.html
and http://sunsite.unc.edu/boutell/faq/chart.html

I think I'm going to start with NCSA's, running under chrootuid for
added security. I'll be running it on a Sparc1 with low memory, so
that seems to be the way to go.

LT

-----------------------------------------------------------------------

The responses:

From: "Dick St.Peters" <stpeters@NetHeaven.com>

> I vaguely recall that there is more than one httpd available on the
> net (CERN's and NCSA's).

There are quite a few more as well, including at least one written in
Perl and some commercial servers. There's also at least one for Macs
and I think even one for DOS.

There is no *the* httpd, but the CERN and NCSA servers are the most
common. I don't know anything about any "recent" security holes, but
both of these servers have been through a number of versions, which
has included wringing out some security holes.

Mostly they differ in features, and each offers things the other
doesn't. If you're going to be dealing with a firewall situation,
then being familiar with the CERN server is useful for its proxy
gatewaying capabilities, which can provide transparent access through
a firewall when coupled with a SOCKS connection-level proxy. If you
want highly-flexible control over access to server pages, then you
ought to look at the NCSA server. The NCSA server also offers dynamic
server-side parsing and filling of pages for when you want to do
things like include the connection date and time in a page.

Choosing the right server is going to get more complicated before it
gets easier, especially if you want to do things like secure
transactions with something like PGP authentication. This kind of
capability is being built into new servers, but of course browsers
also have to be updated to use them. You're trying to hit a moving
target.

--
From: "Ashwin P. Rao" <ashwin@cadence.com>
Hi,
I have been working on this for some time. I am not sure about some of the 
features on NCSA though.

Feature NCSA CERN ----------------------------------------------------------------------------- Clickable Images Yes Yes CGI-Script Support Yes Yes Security Setup Not Sure Yes Proxy Server No Yes Caching No Yes ----------------------------------------------------------------------------- As you can see from above, I am not sure about the security feature in NCSA but in CERN you can protect some or all your documents from Systems using names/ip addresses. You can protect individual directories also.

If you have configured a firewall, the cern server can be run as a proxy server so that people can use Mosaic from inside the firewall transparently. All access then will be through your proxy server. When configured as a proxy server, the cern httpd also supports caching thus reducing Network access. These are some of the things I could think of. Please summarize and send me the data. Thanks Ashwin P.S: The views here are entirely mine and not of the organization.

-- From: Jon Piesing <jon@prl.philips.co.uk> We have tried both the cern and the ncsa httpd on the same machine. Response times to users seem a lot faster using the ncsa one. We don't use the cern one any more except as a proxy server.

Jon

-- From: greiml@explorer.Uni-Trier.DE (Alexander Greiml) we use CERN-httpd without any problems for about 2 month by now. Installation was quite easy, and we didn't have any security problems until now.

-- From: Roland Yeo <roland@technet.sg> the NCSA one has the hole in it. but there is a patch for fixing it.

my personal choice is the Cern httpd, as it provides proxy server features, and server-side caching of pages. As a consequence of this, you can have better control over the pages that is accessed by the clients (ie. with the assistance of a security firewall, you can ban certain undesirable sites from being accessed).

It also has all the security/authorization features that the NCSA one provides, to lets you protect a page by password, or IP addresses/hostnames.

-- From: thill@mmts.eds.com (tommy hill) There is a third server, Netscape's Netsite. We are running an eval copy and it seems to be fairly stable. We had been running the copy from CERN. CERN's server running on port 80 in stand alone mode would fork processed as http requests arrive whereas Netsite creates the specified number of processes in the startup. This number is set at installation. Also, the configuration of Netsite is quite easy and is done almost entirely from Netscape while the server is running. A simple bounce of the server is required for the changes to take effect. Netsite did use quite a bit more system resources, in particular swap space (on a SparcServer 670 with only 64MB RAM). Netsite, with the default setting of 16 processes also caused a hard crash(data fault) of the SparcServer, but since I reduced the number of active processes to 8, it has been very stable. Obviously, CERN's and NCSA's server are cheaper that Netscape's, so it may depend what you will be using the server for.

-- From: Richard Pieri <ratinox@unilab.dfci.harvard.edu> X-Geek-2: GAT d--@ H++>+++ s !g(+) !p au- a-27 w+ v+(++)(*) C+(++) US++++$ P++>+++ L 3 N+++ E+++ K++++ W---$ M-$ V(-) -po+ Y+(++) t- 5+ j R(+) G-$ tv b+++ D++ B-- e+(*) u+(-)* h!>- f r n---(+)(----) y+ I use CERN's server, for two reasons. One, NCSA's server doesn't always work correctly with Solaris 2. Two, NCSA's server has recently been found to have a pretty big security hole in it. There are a few things that are easier to configure with NCSA's server, but in the long run I feel that CERN's server is superior.

-- From: Alexander Haiut <alx@black.bgu.ac.il> > I vaguely recall that there is more than one httpd available on the > net (CERN's and NCSA's). There are more.. The full list and description you'll find at URL http://www.w3.org/hypertext/WWW/Daemon/Overview.html

> Which is the better/safer one to run? I've heard that one of them has > recently been found to have a security hole, but that doesn't matter > if you run it under chrootuid (which I will).

Yes. There was (some time ago) a bug in CERN httpd, but I don't like it, and even didn't try to find what the bug is.

NCSA httpd also has a bug, but NCSA have already published a fix.

> Could someone give me reasons for choosing one rather than the other > (security, speed, reduced resource consumption, etc.)? Basically, what > I'm looking for is the httpd equivalent of wu-ftpd (i.e., *the* httpd > to run).

Heh.. I tested NCSA and CERN only, so:

1. NCSA -- small (114K); configurable. I run it on Sparc LX.

2. CERN -- big (650K) - thus it's too heavy for my small LX; configurable; has cache (disk cache), so, it might save your network, can be used as proxy server.

-- From: Veselin Terzic <terzic@mda.ca> Read " WWW Servers Comparison Chart" by Paul Hoffman. http://sunsite.unc.edu/boutell/faq/chart.html

-- From: Dave Fetrow <fetrow@biostat.washington.edu> > Could someone give me reasons for choosing one rather than the other > (security, speed, reduced resource consumption, etc.)? Basically, what > I'm looking for is the httpd equivalent of wu-ftpd (i.e., *the* httpd > to run).

I don't think that's clear yet.

The cern one is a LOT larger and somewhat more capable (I think) but the NCSA one will do more than most will probably use in the next year. It also impacts my workstation not-at-all despite (admittedly light) usage.

There are also available a perl version (that also does gopher) and probably a lot more I never heard of.

-- From: Mark Allyn (206) 860-9454 <allyn@allyn.com> I have always run the Cern HTTPD in my Suns. I have been told that it has slightly better security and it seems to be quite rock solid.

I have this running on two HP, three machines running SunOS, and a machine running Solaris.

-----------------------------------------------------------------------

That's all, folks!

,-----------------------------------------------------. | Yale Economics Dep't | Lenny Turetsky | | System Administrator | lturetsk@econ.yale.edu | |-------------------------+---------------------------| | My employers paid for some of my time and energy. | | My opinions were never for sale. | `-----------------------------------------------------'



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:17 CDT