Recently i heard about 'FastCGI' word,as i have used CGI.I have no idea whether this fastCGi really works fast.i.e,does it really provides best efficiency and performance? or not? as there are many alternative options in the market for CGI.so,which is the best technique CGI,FastCGI or anything else.
FastCGI is a language independent extension of CGI and has all the features of CGI plus additional benefits when it comes to scaling your applications with distributed computing and using multiple nodes to host your application.
You can go through some links like the official website and even though this link is old, its a good read
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
I am from network and OS operations and not from development background. I have some experience in writing Python and PHP code, and have studied software development in college.
As a hobby project (for now), I am planning on building a small website, which will have a component to store PII and sensitive information. I have to give security the first preference, and 2nd to performance (mainly of encryption/decryption).
My target is to have everything encrypted wherever possible, and also to have code which gives as little room as possible (by default) for exploitation. The site will be hosted on linux system.
The whole idea of the project is to learn a language in depth (as much as possible), and I feel I will be much more focused if I pick on some idea that I like. And that idea involves handling PII and other sensitive information. And, if the end product turns out good, then will open it up, hence wanting to make a good choice when choosing the language to write the code in.
I have done some reading, and saw people mentioning that for the backend c/c++ would be good, as it gives good performance and flexibility, but security is not easy. The next best choice would be Ada 2012, as that gives more security than C/C++, and also does not compromise on performance. Java can also provide security, but can be slightly slower. And then Python/Ruby.
I am thinking that Ada 2012 may be a good choice, but I don't want to get into a position wherein I learn it to some extent and then realize that I would have been better off with Python or Java or some other language.
I want to know from the experts answers to these 3 specific questions:
Which language will be ideal to develop this site, so that :
the best available encryption/decryption libraries can be used?
the features of the language can be leveraged to write inherently secure code?
Also, the more performance can be gained, the better?
Please advise. And also, if someone has done website (specially those handling PII) development using Ada, please share your experience.
I know each and every language has advantages and disadvantages, and the intent behind my query is to learn from the experience of those who have spent many years as website developers, and have used multiples languages and frameworks to develop websites handling sensitive data. If the mods think the question can start a good vs bad language war, I apologize as that is not the intent, and I will close the question.
The features of the language can be leveraged to write inherently secure code? Ada's type system supports writing code that validates data before usage. It's a feature of the language that helps with IT-security. But of course there is much more to IT-security than that. Configuring the firewalls, for example using systemd to specify how many processes of an executable is allowed to run simultaneously by the OS, how much memory each process is allowed to allocate, which directories the different applications have access to and permissions, and so on. I am sure there is lots I don't mention nor cover in this short response.
The best available encryption/decryption libraries can be used? The best library to my knowledge for cryptography is the Ada-Crypto-Library: https://github.com/cforler/Ada-Crypto-Library.
But what is asked for is making a safe web application. For encrypting the Secure Socket Layer (https) the Ada-Crypto-Library is not used in any http server implementation that I am aware of. If one wants to develop a web application in Ada there are three options that I see: AWS (Ada Web Server) from AdaCore and that is included in the Community Edition of the GNAT compiler (www.adacore.com), the http server implementation in Dmitry Kazakov's simple components (http://www.dmitry-kazakov.de/ada/components.htm) or GNOGA (www.gnoga.com) that is implemented on top of Dmitry Kazakov's Simple Componenets. Oh wait, Matreshka may also be used but I haven't used it yet so I cannot comment (http://forge.ada-ru.org/matreshka).
According to the documentation of AWS it can be compiled to use either OpenSSL, LibreSSL or GNUTLS (http://docs.adacore.com/live/wave/aws/html/aws_ug/building_aws.html#requirements).
With Simple Components and GNOGA the Secure Socket Layer implementation is provided by GNUTLS.
Another option for providing SSL to a web application is to use the Apache web server as a proxy that handles the encryption (I have never done such a setup, only heard of the existence of this possibility).
Also, the more performance can be gained, the better? I like performance and how to get the best performance is a vast subject. On the whole I think Ada is good programming language choice for those who like performance. Of the top of my head, to maximise performance using Ada one should:
1) When using the standard containers and using the GNAT compiler one may use "pragma Suppress (Tampering_Checks);" to increase the performance of ones application. Not everyone agrees with this view to have one debug build with the tampering checks turned on and then one release build with the checks off since one trades safety for performance, but it has a noticable impact on performance. An alternative to the standard containers one may use the Ada-Trait based containers (https://github.com/AdaCore/ada-traits-containers). They may be the World's most well designed containers for the Ada programming language.
2) Avoid usage of Unbounded_String in the standard library. One may use instead the XString unbounded string implementation in the GNATColl library and may give a 10x performance boost. Also consider allocating ordinary Strings inside memory pools (or subpools) if possible (I've done that in the Xml_Parser application in the repository: https://github.com/joakim-strandberg/wayland_ada_binding)
EDIT: I deliberately avoid arguing whether or not Ada, Java or Python is better and instead focus on, if you would do it in Ada, what would you need to do and consider.
short answer - No,such a system is never possible. PII is less sensitive than a nuclear program.
Long answer --
1. the best available encryption/decryption libraries can be used?
-As your question mentions encryption comes with decryption, the SHA-1 is broken now check alternatives (https://www.forbes.com/sites/forbestechcouncil/2017/04/13/sha-1-encryption-has-been-broken-now-what/#35e33f317ee7) and if you want to dig deep it is not about libraries it is about the algorithm used for the job.Any encryption can be broken sooner or later.
2. The features of the language can be leveraged to write inherently secure code?
There is nothing as secure language or features of language to save you there are few frameworks based on some security princiapls;just follow a set of practices to make code secure.
You follow them you would be safe if you don't there could be trouble and there are around 5000 free tools (unofficial number)that can be run on a website to break it.Are you willing to test your system against so many number of tools ?
3.Also, the more performance can be gained, the better?
-The stronger the encryption and security the more performance you lose always a trade off so choose your treadmill.
Security is a very vague and broad term and everyone gets hacked even the likes of yahoo and Symantec.(https://gizmodo.com/researchers-made-a-clever-tool-to-detect-hacks-companie-1821293404)
still not convinced here is the state of the art -https://en.wikipedia.org/wiki/Stuxnet but even this is 20 years old and just 500-kilobyte of threat.
My 2 cents - As we deal in 0 and 1 please define clear goals in terms of security and performance the make a poc(proof of concept) and run some benchmarks test.
I've been using PyAMF to write a backend for a flex app that will request different groups of hundreds of different images depending on what the client needs. I have been using the "simple_server" WSGI server that PyAMF supplies while developing the flex code. Now I'm ready to write a robust backend that will be able to pull images from a mySQL database and send them as fast as possible and as efficiently as possible to many concurrent clients.
The PyAMF documentation is great because they supply many examples to follow, however I am confused about what kind of backend I am trying to create.
Do I want a SocketServer or a WSGI server or something like Twisted or web2py or Tornado? Are these even all different? :) Should I be using Apache modules instead (mod_wsgi or modjy or mod_python)?
I realize that this probably touches on many open debates, so maybe you could just point me to any good summaries of these debates?
Its great to have so many options, but how do I choose?
The short answer is, of course, that it depends on the requirements of your project.
How many concurrent connections is "a lot"?
How much programmer time can you throw at the problem?
How much hardware can you throw at the problem?
...etc...
If you plan to have lots of concurrent clients, it's hard to beat Twisted in the Python world. However, you'll have to deal with your database asynchronously to avoid blocking, and depending on how complex your database interactions are, this can be a bit of a pain. You're basically limited to either using twisted.enterprise.adbapi or coming up with your own twisted-ORM integration.
If you'd rather have "easy" database code (i.e. you want to use an ORM), you're better off going with a (TurboGears/Pylons/plain wsgi) project, probably hosted using Apache and mod_wsgi. This can be a pretty scalable solution, and you get a lot of stuff for free using these frameworks, but it may be more than you need.
I would avoid using one of the many plain python wsgi servers out there (wsgiref, paster, etc.) in production if you really want high performance.
Good Luck!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Ok, let's put it in a more mildly: Is cgi (common gateway interface) legacy?
yes? no?
Under what circumstances would a project starting today (one that does noot have to interact with legacy systems or libraries) use cgi?
It's far from dead actually. Despite the overheads, many virtual web hosting companies are now running PHP as CGI for security considerations, because it can be used with suEXEC. suEXEC means that your scripts execute under your actual Unix user privileges, and thus are restricted by the operating system's privilege separation. This is a much more robust security model than the PHP-specific open_basedir alternative.
Also, CGI is a really simple and quite versatile interface, support for it is never going out from web servers. Many newer interfaces like FastCGI and SCGI inherit the way that CGI passes HTTP headers and other variables to the web application and back. Even PHP's SAPI mimics this with its $_SERVER variable. So CGI is not going away, it is just being built upon.
Legacy? Absolutely. Dead? Well, it's on life support. I doubt it will really "die" in the forseeable future. You might still use CGI to write a very small sort of script if you've got a server with no other means of running a webapp and you're too lazy to configure it up.
What's another reason? Maybe you've got a program that leaks memory or resources like a sieve but you need to run it anyway, so you make sure everything is cleaned up by ending the process every single request...
But seriously, for things that really matter, I think the benefits of moving to any sort of system with persistent processes outweigh the costs by quite a bit. And in my experience, it encourages writing better-organized code as well, because the kind of initialization you need to have a nicely modular application translates to "unacceptable startup time" in a CGI environment.
It is not quite dead. But fcgi looks like much better approach. Though not officially supported by, say, Apache. You need to use side mods to get it to work.
I wouldn't consider CGI dead either. After all, it is supported by all major web servers.
One reason not mentioned for starting a CGI project might be Intellectual Property protection. For example you may decide to write a CGI program in C++ and allow your customer to install the application on a server not controlled by you.
Maybe your legacy product has tons of business implemented as libraries. (.dll, .so. .lib. .a etc) In this case, it may actually be faster to market to stick with c/c++ when implementing a web interface.
Perhaps, you work in a Delphi shop? If 10 out of 10 engineers in your shop write Delphi, writing your new application in PHP may not be your fastest path to market.
So, in short, many variables come into play when deciding what tech to use for you new product including:
Who's your customer?
What is your starting point?
What are your assets and resources?
What do you enjoy?
What does your software need to interface with?
How will the application be deployed?
CGI is not very well suited for high performance.
But my advice is to ignore that, write for a language or library that supports multiple SAPIs, and then use what fits best for each situation.
I'm playing WoW for about 2 years and I was quite curious about Lua which is used to write addons. Since what I've read so far about Lua was "fast", "light" and "this is great", I was wondering how and when to use it.
What is the typical situation where you will need to embed a script language like Lua in a system ?
When you need end users to be able to define/change the system without requiring the system to rewritten. It's used in games to allow extensions or to allow the main game engine to remain unchanged, while allow content to be changed.
Embedded scripting languages work well for storing configuration information as well. Last I checked, the Mozilla family all use JavaScript for their config information.
Next up, they are great for developing plugins. You can create a custom API to expose to the plugin developers, and the plugin developers gain a lot of freedom from having an entire language to work with.
Another is when flat files aren't expressive enough. If you want to write data driven apps where behavior is parameterized, you'll get really tired of long strings of conditionals testing for config combinations. When this happens, you're better off writing the rules AND their evaluation into your config.
This topic gets some coverage in the book Pragramtic Programmer.
Lua is:
Lightweight
Easy to integrate, even in an asynchronized environment such as a game
Easy to learn for non-programmer staff such as integrators, designers and artists
Since games usually require all those qualities, Lua is mostly used there. Other sitation could be any application that needs some scripting functionality, but developers often opt for a little more heavy weight solution such as .Net or python.
In addition to the scripting and configurability cases mentioned, I would simply state that Lua+C (or Lua+C++) is a perfect match for any software development. It allows one to make an engine/usage interface where engine is done in C/C++ and the behaviour or customization done in Lua.
OS X Cocoa has Objective-C (C and Smalltalk amalgam, where language changes by the line). I find Lua+C similar, only the language changes by a source file, which to me is a better abstraction.
The reasons why you would not want to use Lua are also noteworthy. Because it hardly has a good debugger. Then again, people hardly seem to need one either. :)
a scripting language like Lua can also be used if you have to change code (with immediate effect) while the application is running. one may not see this in wow, because as far as i remember the code is loaded at the start (and not rechecked and reloaded while running).
but think of another example: webserver and scripting language - (thankfully) you can change your php code without having to recompile apache or restart apache.
steve yegge did that thing for his own mmorpg engine powering wyvern, using jython or rhino and javascript (can't remember). he wrote the core engine in java, but the program logic in python/javascript.
the effect of this is:
he doesn't have to restart the core engine when changing the scripts, because that would disconnect all the players
he can let others do the simpler programming like defining new items and monsters without exposing all the critical code to them
sandboxing: if an error happens inside the script, you may be able to handle it gracefully without endangering the surrounding application
Rapid development for application with real-time constraints. Computer games are one of these ;-)
It's a valid solution if you want to allow third parties to develop plug-ins or mods for your software.
You could implement an API in whatever language you are using, but a script language like LUA tends to be more simple and accessible for casual developers.
In addition to all the excellent reasons mentioned by others, Embedding Lua in C is very helpful when you need to manipulate text, work with files, or just need a higher level language. Lua has lots of nifty feature (Tables, functions are first class values, lots of other good stuff). Also, while lua isn't as fast as C or C++, it's pretty quick for an interpreted language.
I'm currently using Lighttpd on a VPS. Before that it was nginx, but I came back to Lighttpd because I needed CGI.
Apache's HTTPD is mainstream. All documentations include examples for Apache and most modules are only available for Apache.
Is the effort to use something different from Apache really worth it?
I wouldn't consider it as premature optimization. Those two webservers are good products and strong in static content. Just because Apache is widely used, doesn't mean other products are just 'optimization'. In my experience lighttpd and nginx are easy enough to configure and you can use fcgi bindings for most programming languages.
You should consider the functionality you need and pick a server which offers those, possibly the one which uses less resources which most likely won't be Apache.
Is the effort to use something different from Apache really worth it?
It all depends on your needs: if you have less than a few dozen concurrent users (and don't plan to see that number grow any time soon) then this is just a matter of taste.
But if you are concerned about costs because your application is aimed at scaling with the load then using the most efficient server will divide your costs by up to several orders of magnitude.
This is why having the choice is great!
A very good test tool is weighttp (same syntax as ApacheBench but faster and... multi-threaded - the necessary condition to test SMP servers that scale on multi-Core CPUs).
That depends on your needs. I use nginx when it does what I need, which it usually does. Apache supports to many things that I don't often use. It's nice to use only what's needed.
Yes, if you need something like 10k concurrent connections, you have a chance with LigtHTTPd but not with apache I think.
If it's worth switching while developing, I'm not sure. Probably use the webserver you know best for developing and optimize it later.
If you're running Rails, using Lighttpd is premature deoptimization. :) So it all depends on what you need. Your IT folks, if/once you have them, will thank you for using apache if you can.
It really depends on your set of requirements. Yes, premature optimization is evil, but to be honest I don't really see how this can be it.
You would have a certain set of requirements from this webserver - maybe something to do with how easily it's installed? Portability? Featureset? etc. that dictate most of the decision for you.
I would say, don't worry about premature optimization with regards to which web server you choose - rather, objectively look at what you want it to be and what you want it to do, then make your decision from there and build your solution.