[web-devel] [Yesod] Initial SSL support for Warp

Greg Weber greg at gregweber.info
Sun Oct 23 06:50:33 CEST 2011 

On Sat, Oct 22, 2011 at 9:07 PM, Michael Snoyman <michael at snoyman.com>wrote:

> I think you went to "http://localhost:3000/" instead of
> "https://localhost:3000/".
>

heh, yep.

 curl -k (don't check certificate) works. Without the -k the server quits
with this message:

 pong.hs: <socket: 9>: hPutBuf: resource vanished (Broken pipe)


> I'm not sure why Nginx would feel overkill while Pound wouldn't. I
> would think the opposite: Nginx is a fairly well-understood piece of
> technology already, with packages in most distributions, and well
> known performance characteristics. I'd use it long before something
> I've never heard of before.
>

Nginx provides redundant capabilities with respect to Warp (in addition
to unseeded features), whereas a load balancer provides capabilities not
present in Warp, which is why Nginx could be considered overkill. The other
aspect is that Nginx was not designed as a load balancer, whereas a real
load balancer is actually adding the capability of load balancing in
addition to SSL.

Perhaps you haven't heard of Pound becuase you haven't had the need to load
balance. HAProxy is certainly more popular, but doesn't provide SSL. Is
there a linux distro that doesn't have a pound package?


> Anyway, I think a better bet would be to provide another package like
> warp-openssl, which should be a very simple venture. But considering
> the fact that http-enumerator is already built on tls, it seems like
> tls is doing pretty well already.
>

Using tls server side exposes different security concerns than client side.
We wouldn't normally worry about the client side being vulnerable to timing
attacks for example.

I still think this warp-tls is great and i will probably use it myself. I am
just trying to think through all the options for different use cases.


>
> Michael
>
> On Sun, Oct 23, 2011 at 2:05 AM, Greg Weber <greg at gregweber.info> wrote:
> > I tried to run and got this error from the pong application for every
> > request:
> > error received: Error_Packet_Parsing "Failed reading: invalid header
> type:
> > 32\nFrom:\theader\n\n"
> > I think easy SSL support out of the box without more moving parts is
> > extremely valuable to get users up and running fast. However, the newer
> > haskell SSL implementation is going to be perceived as somewhat risky for
> a
> > while, so some users may still look for more established solutions.
> > Now that Yesod/Warp can serve static assets, Nginx can be overkill if we
> > just need https. I think our best solution may be pound [1], although I
> > personally haven't used it yet. Pound is designed to be a light-weight
> load
> > balancer but also has a specific use case as an SSL wrapper.
> > [1] http://www.apsis.ch/pound/
> >
> > On Sat, Oct 22, 2011 at 1:02 PM, Michael Snoyman <michael at snoyman.com>
> > wrote:
> >>
> >> Hi all,
> >>
> >> Thanks (once again) to Vincent's awesome tls package, I've just added
> >> experimental support to Warp for SSL connections. The basic idea is to
> >> create an abstraction within Warp called a Connection, which handles
> >> sending and receiving data. This abstraction provides for vectored and
> >> non-vectored I/O, as well as enumerator-based I/O. In other words, it
> >> supports all of the features Warp already uses. Then a separate
> >> package, warp-tls, provides an alternate way of creating a Connection
> >> that uses the tls package instead of a raw socket.
> >>
> >> I've put this code up in a separate branch[1]. The one piece of the
> >> puzzle most definitely not implemented yet is proper timeout support.
> >> I'm waiting till Kazu and I come up with some clarity on the recent
> >> slowloris discussion before implementing the timeout code for tls.
> >> Also, I'm sure some thing could be more efficient, but it's certainly
> >> working.
> >>
> >> I've included a pong.hs demo, as well as a self-signed private key and
> >> certificate, so in order to test this out, you should need to:
> >>
> >> 1. Clone the repo
> >> 2. "cabal install" warp
> >> 3. "runghc pong.hs" inside the warp-tls package
> >>
> >> Another change that likely makes sense is to improve the TLSSettings
> >> setup so it doesn't need to read the key and certificate from a file.
> >> I'm definitely open to other suggestions. Also, I don't have a
> >> particular use case for this right now, it was just something sitting
> >> on my TODO list and was relatively easy to implement, so I decided to
> >> take a crack at it.
> >>
> >> Michael
> >>
> >> [1] https://github.com/yesodweb/wai/tree/warp-tls
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/web-devel/attachments/20111022/f47d8f21/attachment-0001.htm>

More information about the web-devel mailing list