[web-devel] [Yesod] Initial SSL support for Warp

Michael Snoyman michael at snoyman.com
Sun Oct 23 07:18:17 CEST 2011 

On Sun, Oct 23, 2011 at 6:50 AM, Greg Weber <greg at gregweber.info> wrote:
> On Sat, Oct 22, 2011 at 9:07 PM, Michael Snoyman <michael at snoyman.com>
> wrote:
>>
>> I think you went to "http://localhost:3000/" instead of
>> "https://localhost:3000/".
>
> heh, yep.
>  curl -k (don't check certificate) works. Without the -k the server quits
> with this message:
>  pong.hs: <socket: 9>: hPutBuf: resource vanished (Broken pipe)

I just added exception handling, should work now. Just to be clear:
the fact that curl refuses to download the page is expected, since I'm
using a self-signed certificate. The only issue was that warp-tls
wasn't checking for any exceptions thrown from the tls code.

>> I'm not sure why Nginx would feel overkill while Pound wouldn't. I
>> would think the opposite: Nginx is a fairly well-understood piece of
>> technology already, with packages in most distributions, and well
>> known performance characteristics. I'd use it long before something
>> I've never heard of before.
>
> Nginx provides redundant capabilities with respect to Warp (in addition
> to unseeded features), whereas a load balancer provides capabilities not
> present in Warp, which is why Nginx could be considered overkill. The other
> aspect is that Nginx was not designed as a load balancer, whereas a real
> load balancer is actually adding the capability of load balancing in
> addition to SSL.
> Perhaps you haven't heard of Pound becuase you haven't had the need to load
> balance. HAProxy is certainly more popular, but doesn't provide SSL. Is
> there a linux distro that doesn't have a pound package?

Sorry, that might be the case: I haven't needed a load balancer yet.
So let me rephrase: I personally feel more comfortable setting up
nginx than pound, so if I'm the one writing the documentation, that
would be my recommendation. If others say pound will have a smaller
footprint than nginx for this case, and are interested in writing up
how to use it, that's a good idea.

>>
>> Anyway, I think a better bet would be to provide another package like
>> warp-openssl, which should be a very simple venture. But considering
>> the fact that http-enumerator is already built on tls, it seems like
>> tls is doing pretty well already.
>
> Using tls server side exposes different security concerns than client side.
> We wouldn't normally worry about the client side being vulnerable to timing
> attacks for example.

That's a good point.

> I still think this warp-tls is great and i will probably use it myself. I am
> just trying to think through all the options for different use cases.

Let's get the kinks worked out of warp-tls. I think adding
warp-openssl or warp-gnutls will be a matter of 30 minutes of coding
or so once we have a template from warp-tls.

Michael

More information about the web-devel mailing list