Embedthis Appweb is the industry's first embeddable HTTP web
server that has been designed from the start with security in
mind. It is a fast, high functionality, small-footprint,
standards based embedded web server specifically designed for use
by embedded applications and devices.
Why Embed a Web Server?
There are two
ways to implement a HTTP web server.
-
Create a web application to run with an Enterprise class
web server such as Apache. This presentation layer
application then communicates with your "logic" application
as required.
-
Embed a HTTP web server directly in your application so it
becomes a HTTP server itself.
Conventional wisdom has stressed the separation of
presentation from logic and this is a good axiom. However, it
should be a logical separation and not necessarily a physical
separation. In some cases, a physical separation is ideal and it
can often help to scale-out a large site when used with load
balancing. In other cases, the simplicity and performance gains
from embedding a web server directly in an application or device
make direct embedding the preferred choice. Both approaches are
legitimate. Embedthis Appweb aims to be the best embeddable HTTP
server.
There are many reasons to embed a Web Server. Some examples
are:
-
You want to ship a device appliance and it must be web
manageable for all functions.
-
You want to ship evaluation copies of your application
with a web user interface, but you don't want users to have
to modify their enterprise web server configuration just for
a trial.
-
You want to web-enable an existing application as quickly
as possible and you don't want the complexity of creating a
separate web application.
- You want to simplify the deployment of your application so
it can be secured and administered at one point. You don't want
to separately manage the web presentation and the back-end
application.
Who Embeds Web Servers?
There are two classes of users for Appweb: Enterprise application
developers and Device builders and they are riding two key
trends:
Should embedding a HTTP server be the right option for you,
there are numerous benefits in doing so:
-
Simpler design (one process, no IPC, single protocol)
-
Easier to secure
-
Less code (means less bugs)
-
Much easier to create dynamic web content
A Web Server is a Web Server,
Right?
An embedded web server has a different set of
design goals compared with those of an enterprise web server such
as Apache. While both servers receive and respond to the standard
HTTP protocol, the design goals and core processing architectures
choices are considerably different. Furthermore, the resource
demands these web servers impose on a system may be very
different.
Enterprise web servers typically assume that
they are the most important application on the system
and often run on a dedicated system. It is acceptable for them to
scale to consume available resources to serve incoming requests.
In contrast, Embedded web servers assume they are secondary to
the essential functions an application or device must perform. As
such, embedded web servers must minimize their resource demands
and must be deterministic in the load they place on a
system.
The key design goals of embedded web servers and Appweb in
particular are to be:
-
Easily embeddable in applications and devices
-
Easy to configure and administer
-
Small memory footprint
-
Secure by design and by default
-
Deterministic demand on system resources
-
No compromise on features
-
Open source with commercial license options
Appweb Components
The Appweb
product includes the following components:
-
Appweb HTTP Server library
-
Appweb HTTP Client library
-
Appweb HTTP server main program
-
Appweb loadable modules for server-side JavaScript,
Embedded Server Pages, Embedded Gateway Interface, Common
Gateway Interface and Secure Socket Layer
-
Documentation
-
Samples
-
Source code
Appweb Architecture
The core Appweb HTTP server has been carefully designed to be
deterministic in its use of system resources while retaining high
performance and minimal footprint. It does this leveraging the
following features:
-
Portable runtime layer to isolate platform
dependencies
-
Modular architecture with dynamic module loading
-
High performance multithreaded core
-
Thread pool for fast thread allocation
-
Safe programming layer to prevent buffer overrun exploits
and sandboxing to limit resource consumption
-
Efficient output data stream buffering
-
Apache compatible configuration
-
Extensive logging and debug trace
And for those who wish to rebuild Appweb from source code,
Appweb can be highly optimized by using an an extensive set of
compile time options to control what features are included.
Modes of Operation
The Embedthis Appweb product is
more than just a stand-alone HTTP server. The product includes
this base functionality, but it also exposes components so that
you may embed the core HTTP server and HTTP client functionality
directly in your applications.
For applications, embedding the HTTP server in the application
greatly simplifies deployment as there is no separate web
application to deploy. For devices, either running a stand-alone
server or embedding the server in the device application will
work effectively.
Stand-alone HTTP Server
When using
Appweb as a stand-alone server or when embedding, you can create
web user interfaces using several innovative Appweb technologies
and existing standard technologies
-
Server-side JavaScript via EJScript™
-
Embedded Server Pages™
-
Embedded Gateway Interface™
-
Open Modular Architecture
-
Common Gateway Interface
The Appweb server runs as a stand-alone program. On Windows,
it runs as a system service and on Linux/Unix it runs as a system
daemon.
Server-side
JavaScript
JavaScript or ECMAScript (ECMA-262) has typically
been implemented in the client. However, it is ideally suited for
embedded use on the server. Appweb supports a subset of
ECMAScript called EJScript that is fast and compact.
Embedded Server Pages
(ESP)
Embedded Server Pages are server side JavaScripted HTML
pages that allow direct binding between the JavaScript procedures
and logic routines in your application.
The Embedded Server Pages technology remedies these shortcomings
by allowing you to use page layout programs such as Dreamweaver
while still retaining the ability to generate dynamic content
within the page via server-side JavaScripting.
Embedded Gateway Interface
(EGI)
The Embedded Gateway Interface is a modern replacement for the
Common Gateway Interface (CGI). Using CGI for form data suffers
from many of the same deficiencies it exhibits when it is used to
generate page data. In addition, it provides a very low level
interface that does not assist the developer when decoding query
or posted data.
The Embedded Gateway Interface is one of a set of modern
replacements for the venerable Common Gateway Interface (CGI).
CGI suffers from several deficiencies that make it a poor choice
for creating dynamic user interfaces in embedded
applications:
-
Cannot view the page layout at design time
-
Very slow
-
Large demand on system resources
-
Additional programs and interfaces need securing
The Embedded Gateway Interface remedies these shortcomings
by allowing an equivalent of in-process CGI. Form URLs may be
bound directly to EGI code routines that will be called when the
form is posted. Appweb further assists by decoding query
arguments and providing hashed lookup to all environment data
variables.
Open Modular
Architecture
Appweb supports dynamically loadable modules so
that new content handlers, scripting engines and page generation
environments can be easily added. The existing mechanisms: ESP
and EGI have been developed as loadable modules so that they are
only loaded if required. Scripting engines such as PHP have also
been created as loadable modules.
Common Gateway Interface
(CGI)
Should you need to support existing code bases that use
CGI, Appweb provides a high performance CGI implementation.
Embedding the HTTP Server
When
embedding the Appweb HTTP server in a device or application,
all the features of the stand alone Appweb server are available.
The required SSL, Authentication, Embedded Server Pages, Embedded
Gateway Interface, CGI and other dynamic modules will be loaded
into the application as required.
To embed the Appweb HTTP server or client in an application is
easy and requires from 10 lines of code to integrate and
activate. Because Appweb is configured primarily by using an
Apache style ASCII configuration file, initialization by code is
not necessary. This also eases administration as the server
configuration may be modified in the field if required.
To make Appweb easy to embed, it supports a wide variety of
Programming Paradigms.
This includes support for C and C++, single and multithreaded
programs and a variety of different event mechanisms.
Threading Model
The Appweb HTTP server can run either
single threaded or multithreaded and the threading mode can be
selected at run-time by your application. Further, you can set
the number of threads to be used by Appweb depending on the
anticipated scale of your application.
Appweb can fully expose its event loop if needed so that it can
be integrated with existing application event mechanisms. It
supports the following event processing mechanisms:
-
Polled
-
POSIX select
-
Service thread
-
Windows messages
Debugging Support
The Appweb
HTTP server includes a powerful debug logging facility and is
fully instrumented to log trace information. This can be
invaluable in debugging ESP code logic or new Appweb handlers
that you may have written.
Samples
An extensive suite of samples is provided. See
the
Programming
Samples document for details..
Security
Most HTTP servers have become
more secure by a painful process of discovery. While it is no
guarantee, developing a HTTP server to be secure by design is
easier than trying to engineer security in after the fact.
Securing embedded HTTP servers is even more difficult as it must
be done without increasing memory footprint or damaging
performance.
Embedthis Portable Runtime (MPR)
Appweb has been designed
to be secure from the foundation by using the Embedthis Portable
Runtime (MPR). The MPR is a cross-platform layer that permits
over 97% of the Appweb code to be portable. It includes a safe
string and buffer handling module to help the eliminate buffer
overflows that have plagued so many products. It also warns when
any unsafe (traditional) C API functions are used.
Sandboxing
The Appweb HTTP server closely controls its
use of system resources via a technique known as "sandboxing".
This means running the web-server within tightly controlled
limits so that script errors or web server bugs will not
compromise system operation. Appweb has also been hardened
against several common denial of service attacks.
Appweb can be configured to:
-
Preallocate memory and not grow beyond predefined memory
limits
-
Reject requests that are too large
-
Reject URLs that are too long
-
Run single-threaded or use a pool of reusable threads to
service requests
-
Be run by a designated user account or user group
To build on this foundation, Appweb provides Secure Sockets
Layer and Digest authentication.