Mbedthis
AppWeb is the industry's first embeddable HTTP web server that
has been designed from the start with security in mind. It is
a fast, high functionality, small-footprint, standards based embedded web server specifically
designed for use by applications and embedded devices.
Why Embed a Web Server?
There are two ways to implement a HTTP web server.
-
Create
a web application to run with an Enterprise Web server. This
presentation layer application then communicates with your "logic"
application as required.
-
Embed a HTTP web server directly in your application so it becomes a HTTP server itself.
Conventional wisdom has stressed the separation of presentation
from logic and this is a good axiom. However, it should be a logical
separation and not necessarily a physical separation. In some
cases, a physical separation is ideal and it certainly can help
to scale-out a large site when used with load balancing. In other
cases, the simplicity and performance gains from embedding a web
server directly in an application or device make direct embedding
a preferred choice. Both approaches are legitimate. Mbedthis AppWeb
aims to be the best embeddable HTTP server.
There are many reasons to embed a Web Server. Some examples are:
-
You want to ship evaluation copies of your application
with a web user interface, but you don't want users to have to modify
their enterprise web server configuration just for a trial.
-
You want to ship a device appliance and it must be
web manageable for all functions.
-
You want to web-enable an existing application as quickly
as possible and you don't want the complexity of creating a separate
web application.
- You want to simplify the deployment of your application so
it can be secured and administered at one point. You don't want to
separately manage the web presentation and the back-end application.
Who Embeds Web Servers?
There are two classes of users for AppWeb: Enterprise application
developers and Device builders and they are riding two key trends:
Should embedding a HTTP server be the right option for you, there are numerous benefits in doing so:
-
Simpler design (one process, no IPC, single protocol)
-
Easier to secure
-
Less code (means less bugs)
-
Much easier to create dynamic web content
A Web Server is a Web Server, Right?
An embedded web server has a different set of design goals
compared with those of an enterprise web server such as Apache. While
both servers receive and respond to the standard HTTP protocol, the
design goals and core processing architectures choices are considerably
different. Furthermore, the resource demands these web servers impose
on a system may be very different. Enterprise web servers typically
assume that
they are the most
important application on the system and often run on a dedicated system. It is acceptable for them
to scale to consume available resources to serve incoming requests. In
contrast, Embedded web servers assume they are secondary to the
essential functions an application or device must perform. As such,
embedded web servers must minimize their resource demands and must be
deterministic in the load they place on a system.
The key design goals of embedded web servers and AppWeb in particular are to be:
-
Easily embeddable in applications and devices
-
Easy to configure and administer
-
Small memory footprint
-
Secure by design and by default
-
Deterministic demand on system resources
-
No compromise on features
-
Open source with commercial license options
AppWeb Components
The AppWeb product includes the following components:
-
AppWeb HTTP Server library
-
AppWeb HTTP Client library
-
AppWeb HTTP server main program
-
AppWeb loadable modules for server-side JavaScript,
Embedded Server Pages, Embedded Gateway Interface, Common Gateway
Interface and Secure Socket Layer
-
Documentation
-
Samples
-
Source code
AppWeb Architecture
The core AppWeb HTTP server has been carefully designed to be
deterministic in its use of system resources while retaining high
performance and minimal footprint. It does this leveraging the
following features:
-
Portable runtime layer to isolate platform dependencies
-
Modular architecture with dynamic module loading
-
High performance multithreaded core
-
Thread pool for fast thread allocation
-
Safe programming layer to prevent buffer overrun exploits and sandboxing to limit resource consumption
-
Efficient output data stream buffering
-
Apache compatible configuration
-
Extensive logging and debug trace
And for those who wish to rebuild AppWeb from source code, AppWeb can be highly
optimized by using an an extensive set of compile time options
to control what features are included.
Modes of Operation
The Mbedthis AppWeb product is more than just a stand-alone HTTP
server. The product includes this base functionality, but it also
exposes components so that you may embed the core HTTP server and HTTP
client functionality directly in your applications.
For applications, embedding the HTTP server in the application greatly
simplifies deployment as there is no separate web application to
deploy. For devices, either running a stand-alone server or embedding
the server in the device application will work effectively.
Stand-alone HTTP Server
When using AppWeb as a stand-alone server, you can create web user
interfaces using several innovative AppWeb technologies and existing
standard technologies
The
AppWeb server runs as a stand-alone program. On Windows, it runs as a
system service and on Linux/Unix it runs as a system daemon.
Server-side JavaScript
JavaScript or ECMAScript (ECMA-262) has typically been implemented in the client.
However, it is ideally suited for embedded use on the server.
AppWeb supports a subset of ECMAScript that is fast and compact.
Embedded Server Pages (ESP)
Embedded Server Pages are server side JavaScripted HTML pages that
allow direct binding between the JavaScript procedures and logic
routines in your application.
The Embedded Gateway Interface is one of a set of modern replacements for the venerable
Common Gateway Interface (CGI). CGI suffers from several deficiencies
that make it a poor choice for creating dynamic user interfaces in
embedded applications:
-
Cannot view the page layout at design time
-
Very slow
-
Large demand on system resources
-
Additional programs and interfaces need securing
The Embedded Server Pages technology remedies these shortcomings by
allowing you to use page layout programs such as Dreamweaver while
still retaining the ability to generate dynamic content within the page
via server-side JavaScripting.
Embedded Gateway Interface (EGI)
The Embedded Gateway Interface is a modern replacement for the
Common Gateway Interface (CGI) when it is used to process form data.
Using CGI for form data suffers from many of the same deficiencies it
exhibits when it is used to generate page data. In addition, it
provides a very low level interface that does not assist the developer
when decoding query or posted data.
The Embedded Gateway Interface remedies these shortcomings by allowing
an equivalent of in-process CGI. Form URLs may be bound directly to EGI
code routines that will be called when the form is posted. AppWeb
further assists by decoding query arguments and providing hashed lookup
to all environment data variables.
Open Modular Architecture
AppWeb supports dynamically loadable modules so that new content
handlers, scripting engines and page generation environments can be
easily added. The existing mechanisms: ESP and EGI have been developed
as loadable modules so that they are only loaded if required. Scripting
engines such as PHP are also being created as loadable modules.
Common Gateway Interface (CGI)
Should you need to support existing code bases that use CGI, AppWeb provides a high performance CGI implementation.
Embedding the HTTP Server
When
embedding the AppWeb HTTP server in an application, all the features of
the stand alone AppWeb server are available. As required the SSL,
Authentication, Embedded Server Pages, Embedded Gateway Interface, CGI
and other dynamic modules will be loaded into the application.
To embed the AppWeb HTTP server or client in an application is
easy and requires from 10 lines of code to integrate and activate.
Because AppWeb is configured primarily by using an Apache style
ASCII configuration file, initialization by code is not necessary.
This also eases administration as the server configuration may
be modified in the field if required.
To make AppWeb easy to embed, it supports a wide variety of
Programming
Paradigms. This includes support for C and C++, single and
multithreaded programs and a variety of different event mechanisms.
Threading Model
The AppWeb HTTP server can run either single threaded or multithreaded and the
threading mode can be selected at run-time by your application.
Further, you can set the number of threads to be used by AppWeb
depending on the anticipated scale of your application.
AppWeb can fully expose its event loop if needed so that it can be
integrated with existing application event mechanisms. It supports the
following event processing mechanisms:
-
Polled
-
POSIX select
-
Service thread
-
Windows messages
Debugging Support
The AppWeb HTTP server includes a powerful debug logging
facility and is fully instrumented to log trace information. This can
be invaluable in debugging ESP code logic or new AppWeb handlers that
you may have written.
Samples
An extensive suite of samples is provided. See the
Programming Samples document for details..
Security
Most HTTP servers have become more secure by a painful process of
discovery. While it is no guarantee, developing a HTTP server to be
secure by design is easier than trying to engineer security in after
the fact. Securing embedded HTTP servers is even more difficult as it
must be done without increasing memory footprint or damaging
performance.
Mbedthis Portable Runtime (MPR)
AppWeb has been designed to be secure from the foundation by using the
Mbedthis Portable Runtime (MPR). The MPR is a cross-platform layer that
permits over 97% of the AppWeb code to be portable. It includes a safe
string and buffer handling module to help the eliminate buffer
overflows that have plagued so many products recently. It also warns
when any unsafe (traditional) C API functions are used.
Sandboxing
The AppWeb HTTP server closely controls its use of system resources via
a technique known as "sandboxing". This means running the web-server
within tightly controlled limits so that script errors or web server
bugs will not compromise system operation. AppWeb has also been
hardened against several common denial of service attacks.
AppWeb can be configured to:
-
Preallocate memory and not grow beyond predefined memory limits
-
Reject requests that are too large
-
Reject URLs that are too long
-
Run single-threaded or use a pool of reusable threads to service requests
-
Be run by a designated user account or user group
To build on this foundation, AppWeb provides Secure Sockets Layer and Digest authentication.