1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Thoughts on httpd

Discussion in 'Tomato Firmware' started by rhester72, Mar 23, 2010.

  1. rhester72

    rhester72 Network Guru Member

    Today, httpd binds to 0.0.0.0 on whatever port is defined for HTTP(S) in Tomato, and makes remote access available (and restricts wireless access if desired) through iptables rules.

    Given the availability of things like pixelserv (and others that listen on HTTP ports), wouldn't it make more sense to change httpd to bind only to br0, using an iptables forward rule to allow remote access if desired (instead of defaulting to a DENY that is removed when remote access is enabled) and leave the iptables wl0 block in place as-is?

    I'm basically trying to avoid a hard bind to 0.0.0.0, because it would make binding pixelserv to an alternate IP (on br0) a lot easier if we didn't have a global listener like that.

    Thoughts?

    Rodney
     
  2. mstombs

    mstombs Network Guru Member

    My latest posted version of a c version of pixelserv accepts an IP address to bind to, and I also have an unpublished test version which has a configurable port name/number or interface (defaulting to br0). I could tidy up and post if any use?
     
  3. rhester72

    rhester72 Network Guru Member

    The biggest issue is the fact that httpd force-binds to 0.0.0.0 which means all addresses and interfaces - Tomato uses iptables rules to control access but internally binds globally. That global binding disallows pixelserv from binding to _any_ interface, even a dummy interface bridged to br0. That's why httpd itself needs to be changed to allow peaceful coexistence without having to change Tomato's internal httpd port number (i.e. it should be able to be left at 80).

    Rodney
     
  4. rhester72

    rhester72 Network Guru Member

    What a difference one line makes.

    tomato/release/src/router/httpd/httpd.c:

    Code:
    791c791
    <       sai.sin_addr.s_addr = INADDR_ANY;
    ---
    >       sai.sin_addr.s_addr = inet_addr(nvram_get("lan_ipaddr"));
    Why bother?

    It allows for some mstombs magic:

    The important thing here is that now httpd and pixelserv can be running on the same port simultaneously because they are bound to two different interfaces (httpd on 192.168.0.1:80 interface br0, pixelserv on 192.168.0.2:80 interface br0:0). No need to mess with the Tomato web server config/port any longer - it all Just Works(TM)!

    I've tested this quite thoroughly with relevant options (Remote Access enabled/disabled via iptables, Allow Wireless Access enabled/disabled via httpd code) and can't find any breakage at all - in fact, it's not at all clear to me why httpd was *ever* binding to INADDR_ANY/0.0.0.0, except that it was "borrowed" from another project for Tomato.

    All the same, I have not committed this to git because a) I'd like more developer input, just in case there's some edge condition I'm not considering, since this one-liner is a pretty big change! and b) because I don't speak git (I barely manage checkouts). Woe is me - my kingdom for subversion! ;)

    Feedback most welcomed and encouraged.

    Rodney
     
  5. teddy_bear

    teddy_bear Network Guru Member

    Rodney,

    Sounds like a very reasonable and useful modification. And it looks like all iptables rules needed to redirect WAN requests appropriately are already in place. So this one line change should really be enough and safe to make...

    If you don't want to deal with git just yet - I'll add this change to my local branch, and it will get to the central repo with the next push. Just need to know how you would like the "Author" line to look like on your commits ;).
     
  6. rhester72

    rhester72 Network Guru Member

    I require no credit, honestly - I'm just thrilled that Tomato is finally picking up some steam again and moving forward.

    And I promise not to make the TCP Vegas mistake again. *LOL* That one will haunt me for the rest of my life...

    Rodney
     
  7. mstombs

    mstombs Network Guru Member

    Easy to guess why httpd defaults to 0.0.0.0, that's exactly what pixelserv.c does by default - we are all lazy! Guess I only ever tested different IP addresses after moving the normal httpd off port 80. I originally switched to using just https, but have since moved on to using https on non-standard port as some ads get requested on secure connections.

    Have you looked at dd-wrt Frater's use of optware/ xinetd.

    It seems that it should be more efficient to have one inetd program listening for incoming connections, rather than telnetd, dropbear, pixelserv etc all occupying memory and looking for their own connections?
     
  8. rhester72

    rhester72 Network Guru Member

    This may not, in fact, be OK after all.

    What happens if the user changes the lan_ipaddr NVRAM variable via the GUI?

    Normally, Tomato would reload the GUI by pushing the updated IP to the browser so it appears to be seamless. In this case, httpd is bound to the "old" IP, and will not automatically rebind unless httpd is bounced (service is restarted).

    I haven't actually tested this, but it makes sense - there's no reason to ever restart httpd the "old" way because it binds to 0.0.0.0. The only time this would be an issue is the scenario I described above.

    I'm not so familiar with the GUI end of things in Tomato - how difficult would it be to force a httpd service restart if the LAN IP is changed via GUI (the same way many other services are restarted after save on other pages)?

    Rodney
     
  9. teddy_bear

    teddy_bear Network Guru Member

    That should not be a problem. When you save any changes made on Basic->Network page, Tomato already stops and restarts most services including httpd.
     
  10. mstombs

    mstombs Network Guru Member

    What!

    I just did - It works fine!

    Code:
    Linux WRT54G-TM 2.6.22.19 #6 Thu Mar 25 20:38:19 GMT 2010 mips GNU/Linux
    / # netstat -an
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 192.168.10.1:80         0.0.0.0:*               LISTEN
    / # ifconfig br0:0 192.168.10.2
    / # pixelserv 192.168.10.2
    pixerlserv[1172]: pixelserv V15 compiled: Mar 24 2010 23:24:31 from pixelserv15.c
    
    ...
    Mar 25 13:52:08 WRT54G-TM daemon.info pixerlserv[1172]: pixelserv V15 compiled: Mar 24 2010 23:24:31 from pixelserv15.c[FONT=verdana]
    [/FONT]Mar 25 13:52:08 WRT54G-TM daemon.notice pixerlserv[1174]: Listening on 192.168.10.2:80
    ...
    / # netstat -an
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 192.168.10.2:80         0.0.0.0:*               LISTEN
    tcp        0      0 192.168.10.1:80         0.0.0.0:*               LISTEN
    Changing Lan IP addresses does close to a soft reboot.
     
  11. rhester72

    rhester72 Network Guru Member

    OK, OK, I'll relax. =)

    Rodney
     

Share This Page