Discussion:
Ada/GNAT/AWS-friendly web hosting
(too old to reply)
Jeffrey R.Carter
2024-09-12 16:22:28 UTC
Permalink
Researching how to build an HTTP server (serving a website) on a local machine
(MacOS) using AWS (Ada Web Server) and deploy it on a web hosting provider (e.g.
1dollar-webhosting.com).
In my experience, this would be easier done with Gnoga
(https://sourceforge.net/projects/gnoga/) than AWS. On a web-based system using
AWS quite a while ago, we had to have a number of JS files. Although we had a
lot more Ada than JS, we spent a lot more effort correcting JS errors than Ada
errors.

Gautier de Montmollin has made Gnoga programs publicly available, such as his
Pasta! game (http://pasta.phyrama.com/), so might be able to help with your
hosting questions.
--
Jeff Carter
"[O]ne can look forward to a rapid and widespread
improvement in programming practice, both from
those who use the language [Ada] and from those
who study its concepts and structures."
C. A. R. Hoare
181
J-P. Rosen
2024-09-12 17:06:08 UTC
Permalink
The usual way is to use Apache (or nginx or another one) as a front end.
Your application uses port 1080 (or something else) and the front end
relays this port to the external 80 port.
This way, the security stuff is manage by the front end, not your
application. You can also run multiple applications, each being
redirected to its domain name/path.
But security breaches mainly use known bugs in Apache... If you write
your own server with AWS, the attacker knows nothing about the software
that answers! And as for buffer overflows attacks... well, it's Ada.
You'll see some handled Constraint_Error in the log file, end of story!
--
J-P. Rosen
Adalog
2 rue du Docteur Lombard, 92441 Issy-les-Moulineaux CEDEX
https://www.adalog.fr https://www.adacontrol.fr
Kevin Chadwick
2024-09-12 17:16:29 UTC
Permalink
Post by J-P. Rosen
This way, the security stuff is manage by the front end, not your
application. You can also run multiple applications, each being
redirected to its domain name/path.
But security breaches mainly use known bugs in Apache... If you write
your own server with AWS, the attacker knows nothing about the software
that answers! And as for buffer overflows attacks... well, it's Ada.
You'll see some handled Constraint_Error in the log file, end of story!
AWS uses OpenSSL or a fair bit better LibreSSL for TLS, written in C and
quite often found vulnerable. You could isolate the nginx proxy to another
machine though.
--
Regards, Kc
Lawrence D'Oliveiro
2024-09-12 22:35:20 UTC
Permalink
Post by J-P. Rosen
But security breaches mainly use known bugs in Apache... If you write
your own server with AWS, the attacker knows nothing about the software
that answers!
That’s called “security through obscurity”. Not recommended.
J-P. Rosen
2024-09-13 06:46:33 UTC
Permalink
Post by Lawrence D'Oliveiro
Post by J-P. Rosen
But security breaches mainly use known bugs in Apache... If you write
your own server with AWS, the attacker knows nothing about the software
that answers!
That’s called “security through obscurity”. Not recommended.
No, AWS is public and there is nothing hidden. Just that, since there
are wayyyyy more users of Apache than of AWS, attackers will not bother
to try to break in
--
J-P. Rosen
Adalog
2 rue du Docteur Lombard, 92441 Issy-les-Moulineaux CEDEX
https://www.adalog.fr https://www.adacontrol.fr
Randy Brukardt
2024-09-14 06:38:16 UTC
Permalink
Post by J-P. Rosen
But security breaches mainly use known bugs in Apache... If you write
your own server with AWS, the attacker knows nothing about the software
that answers!
That's called "security through obscurity". Not recommended.
That's the wrong way to look at it. An Ada program is better thought of as
"security by simplicity and correctness", because you are running an Ada
that only does a few things (and which can be throughly tested, checked with
static analysis, and so on) rather than a general program that does a
zillion things (with many combinations that can't be tested).

The only place "obscurity" comes into it is that no one else is running the
exact same program as you. So attacks that depend on any sort of knowledge
of the program cannot succeed.

In any case, there is no such thing as "secure", there are only levels, and
for the sorts of non-critical stuff that we're doing, an Ada program is
certainly secure enough. I wouldn't try to run a storefront on it (although
that would be more because you'd have a hard time convincing your bank that
it is OK than any real problems), or anything that needs high-level
security.

Randy.
Dmitry A. Kazakov
2024-09-12 18:48:29 UTC
Permalink
Researching how to build an HTTP server (serving a website) on a local
machine (MacOS) using AWS (Ada Web Server) and deploy it on a web
hosting provider (e.g. 1dollar-webhosting.com).
That depends on what the provider would allow you to upload to the host.
Likely nothing executable... (:-))
If the host runs on Linux then cross-building (from MacOS to Linux)
required, right? GNAT does that, right?
It is possible, but far simpler would be a virtual machine running
Linux. E.g. I compile for Linux targets on virtual machines. Only for
ARM I am using physical machines. You must know what kind of Linux your
provider has in order to choose the right version of the libc etc.
The host is already running an HTTP server program (probably Apache).
Must it be turned off? How?
Ask the provider. You would need the ports free.
In general, can the executable be launched on a VPS (Virtual Private
Server)? Which port?
No idea.
Will dynamic linking work? I'm guessing not, so, static; but then, will
GNAT integrate the right libraries for Linux in the executable?
If you ship the libraries together with the server. Then if the host
runs Apache it must have some TLS library installed. You must learn the
version an link against it.
In any case you need either OpenSSL or else GNUTLS. The HTTP server from
Simple Components can use both. I believe that either can be built as a
static library. I see no reason why AWS could not be linked statically.
BTW you must maintain certificates on the server.
Will "Community GNAT" do? (Instead of GNAT Pro.)
I am not sure if all-static build were possible, e.g. libc, libgnat.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
Lawrence D'Oliveiro
2024-09-12 22:29:36 UTC
Permalink
Although we had a lot more Ada than JS, we spent a lot more effort
correcting JS errors than Ada errors.
Did you “use strict”?
Jeffrey R.Carter
2024-09-13 09:03:03 UTC
Permalink
Post by Lawrence D'Oliveiro
Although we had a lot more Ada than JS, we spent a lot more effort
correcting JS errors than Ada errors.
Did you “use strict”?
I don't know. It was quite a while ago and I didn't work on the JS. But the
point is that when you use Gnoga, you don't need any to create any JS.
--
Jeff Carter
"He had no conception of the instrument. He
was blowing into it."
Take the Money and Run
135
Lawrence D'Oliveiro
2024-09-12 22:40:35 UTC
Permalink
The host is already running an HTTP server program (probably Apache).
Must it be turned off? How?
The usual way is to use Apache (or nginx or another one) as a front end.
Your application uses port 1080 (or something else) and the front end
relays this port to the external 80 port.
Yup, I do things this way for my Python+ASGI code, too. This called a
“reverse proxy”, though I don’t know why -- I think “server-side proxy”
would be more accurate.

Make sure your back-end server is listening only on a loopback address:
127.0.0.0/8 (IPv4) or ::1 (IPv6). That way the only access to it from
outside the machine is through the public web-server front end.

(Question to ponder: why does Ipv4 offer over 16 million different
loopback addresses, while IPv6, which its much larger address space, has
to make do with only one?)
This way, the security stuff is manage by the front end, not your
application. You can also run multiple applications, each being
redirected to its domain name/path.
Yup.
Stéphane Rivière
2024-09-13 13:15:03 UTC
Permalink
Marius,

As a professional web hoster, I strongly advise you to forget Apache and
use only Nginx, both as a proxy (in your case) and as a web server
(generic case). Not only does Apache have security problems, but its
performance is pitiful compared to Nginx.

If you have several sites, the ideal solution is to enter everything in
https/port 443 on the nginx proxy (which will be able to manage X509/TLS
https certificates) and exit on as many ports 8080, 8081, 8082, etc. as
you have websites.

All the best from here.
--
Stéphane Rivière
Ile d'Oléron - France
Björn Persson
2024-09-13 14:33:15 UTC
Permalink
Researching how to build an HTTP server (serving a website) on a local
machine (MacOS) using AWS (Ada Web Server) and deploy it on a web
hosting provider (e.g. 1dollar-webhosting.com).
I don't know about 1dollar, but a typical web hosting provider will
only let you upload static files (HTML, pictures et cetera), limited
snippets of web server configuration, and certain kinds of programs
that run under their web server's control. PHP is common. Some might
run Perl programs with mod_perl, or Python programs using WSGI.

Maybe some web hosts support CGI or FastCGI. Those interfaces can be
implemented in Ada. I think you'll have limited use for AWS in that
case, as the HTTP parsing is handled by the web server.

I think it would be hard to find a web host that lets you run arbitrary
network-facing daemons. To run your own web server you want a VPS (or a
physical server in a collocation facility, but if your security needs
don't rule out a web host, then a VPS is also fine).
The host is already running an HTTP server program (probably Apache).
Must it be turned off? How?
A typical web host won't let you turn off their web server. They serve
many customers' content from the same Apache instance, so turning that
off would break all those websites.
In general, can the executable be launched on a VPS (Virtual Private
Server)?
Sure. In a VPS you have the whole operating system to yourself (maybe
except for the kernel if the VPS provider uses OpenVZ). You install and
run whatever programs you want, just like on your own physical computer.
Maybe you'll be able to get a VPS with MacOS, if that's your preference.

In a VPS it's also your responsibility to install updates regularly,
and upgrade to a new major OS version from time to time. If you fail to
keep up, then criminals will take over your VPS and use it as a relay
when attacking others. Make sure that you'll be notified automatically
when there are updates to install.
If the host runs on Linux then cross-building (from MacOS to Linux)
required, right? GNAT does that, right?
GCC – and thus GNAT – can be built as a cross-compiler. Perhaps you
can find one that someone has built and packaged for MacOS. Otherwise
you'll need to build your own from the GCC source code, configuring it
to be a cross-compiler. (That's theoretical knowledge. I have no
practical experience with cross-compilation).
Or, must the program be built in the host? (Thus requiring GNAT be there.)
No, but in my opinion it's much easier that way. Either build on the
computer you'll run on, or on another computer of the same processor
architecture, running the same version of the same operating system.
That way you don't need to worry about getting the wrong version of
some library or build tool.
Will dynamic linking work? I'm guessing not, so, static; but then, will
GNAT integrate the right libraries for Linux in the executable?
Cross-compilation should be able to work with shared libraries.
Regardless of whether the libraries are shared or static, libraries for
the target machine must be available on the build host. I guess you
would either install packaged libraries on the target machine, and copy
those to the build host, or else cross-compile the libraries too. You
need to configure search paths carefully so that both the compiler and
the linker find the cross-libraries instead of the native ones. This is
one of the complications you avoid by building natively.
Which port?
Normally port 443, because of course you'll use HTTPS, won't you?
Optionally you can also have an HTTP server on port 80 that responds to
every request with a redirection to HTTPS.

If you choose to put AWS behind a reverse proxy like DrPi suggested,
then the reverse proxy listens on port 443 on your public IP address,
and you tell AWS to listen on some other port and only on the localhost
address, ::1 or 127.0.0.1.

Björn Persson
Lawrence D'Oliveiro
2024-09-13 22:09:11 UTC
Permalink
Post by Björn Persson
Maybe some web hosts support CGI or FastCGI.
Don’t do that.
Stéphane Rivière
2024-09-14 07:01:32 UTC
Permalink
Post by Lawrence D'Oliveiro
Post by Björn Persson
Maybe some web hosts support CGI or FastCGI.
Don’t do that.
Could you elaborate why you recommend to not use FastCGI ?

Thanks by advance.


PS

We use FastCGI with Nginx to host tons of Wordpress web sites via
PHP_FPM. FastCGI allows us to implement an extremely high-performance
FastCGI cache. Caching is essential for slow and interpreted PHP
applications and/or high-traffic applications, whatever the language used.
--
Stéphane Rivière
Ile d'Oléron - France
Lawrence D'Oliveiro
2024-09-14 07:26:04 UTC
Permalink
Post by Stéphane Rivière
We use FastCGI with Nginx to host tons of Wordpress web sites via
PHP_FPM. FastCGI allows us to implement an extremely high-performance
FastCGI cache. Caching is essential for slow and interpreted PHP
applications and/or high-traffic applications, whatever the language used.
I would use the server-side proxy approach.

I see that FastCGI is basically an alternative to this, using a special
protocol to communicate with the proxy, instead of just regular HTTP. But
when I discovered that the “official website” (fastcgi.com) disappeared
off the Web some years ago, I decided that the whole concept was becoming
obsolescent and so best avoided.

Also, it appears FastCGI doesn’t support WebSockets. Whereas server-side
proxying does. Another point in favour of the latter.
Stéphane Rivière
2024-09-14 08:51:50 UTC
Permalink
OK. Got it.

Actually, it depends on the problem to be solved. In the case I
mentioned (PHP websites), FastCGI is a must and the FastCGI cache a
performance grall.

FastCGI can be useful, even in Ada, if the site has to serve large
quantities of static text and static images, that will make good use of
a FastCGI cache.

But for dynamic sites (without static datas) written without PHP, I
agree that the WebSockets protocol is indeed ideal.

WebSockets is a http1 only protocol. What doesn't matter. In most
dynamic sites, such as business software, http2 or http3 are useless.
--
Stéphane Rivière
Ile d'Oléron - France
Lawrence D'Oliveiro
2024-09-14 09:41:03 UTC
Permalink
In the case I mentioned (PHP websites), FastCGI is a must and the
FastCGI cache a performance grall.
OK, PHP doesn’t do WebSockets anyway, so that’s probably OK.
But for dynamic sites (without static datas) written without PHP, I
agree that the WebSockets protocol is indeed ideal.
WebSockets is essential for certain kinds of interactivity.
WebSockets is a http1 only protocol.
Apparently not
<https://www.ietf.org/archive/id/draft-ietf-httpbis-h3-websockets-02.html>.
Stéphane Rivière
2024-09-14 10:29:07 UTC
Permalink
Post by Lawrence D'Oliveiro
OK, PHP doesn’t do WebSockets anyway, so that’s probably OK.
It's just mandatory if you need maximum performance with PHP.

I deeply dislike PHP but it's a huge part of our business. Yes, it's a
bit schisophrenic.
Post by Lawrence D'Oliveiro
Post by Stéphane Rivière
But for dynamic sites (without static datas) written without PHP, I
agree that the WebSockets protocol is indeed ideal.
WebSockets is essential for certain kinds of interactivity.
for shure !
Post by Lawrence D'Oliveiro
Apparently not
<https://www.ietf.org/archive/id/draft-ietf-httpbis-h3-websockets-02.html>.
You're teaching me something ! Thank you. So WebSockets /was/, untill
recently, a http1 only protocol. I'm probably influenced by our recent
work with Gnoga (https://v22.soweb.io).
--
Stéphane Rivière
Ile d'Oléron - France
Kevin Chadwick
2024-09-14 12:02:05 UTC
Permalink
Post by Stéphane Rivière
work with Gnoga (https://v22.soweb.io).
Runs on Android/IOS. Does that require an internet web server?
--
Regards, Kc
Stéphane Rivière
2024-09-14 13:00:00 UTC
Permalink
Post by Kevin Chadwick
Runs on Android/IOS.
Yes v22.Gui/Gnoga is responsive. Tested with 5" smartphones as old as
Nexus 5 (with a browser more recent than the stock one to handle
websockets). Also tested on 43” 4K ;)

On some iOS devices, the menu bar is slightly offset. I didn't look too
hard. It's a Safari problem. It works fine with Firefox and Chrome.
Post by Kevin Chadwick
Does that require an internet web server?
Not necessarily. v22.Gui/Gnoga supports itself X509 TLS https
certificates (tested). However, for various reasons (such as the
possibility of having several web applications on the same instance and
on the same 80/443 input port), in production, I've always chosen to
have a Nginx proxy on the front end, which is also more flexible and
handle automatic switching from http/80 to https/443.
--
Stéphane Rivière
Ile d'Oléron - France
Jeffrey R.Carter
2024-09-14 14:34:09 UTC
Permalink
Post by Kevin Chadwick
Runs on Android/IOS.
Yes v22.Gui/Gnoga is responsive. Tested with 5" smartphones as old as Nexus 5
(with a browser more recent than the stock one to handle websockets). Also
tested on 43” 4K ;)
Interesting. How do you compile for Android/IOS?

Incidentally, the screenshot you have for the Tic-Tac-Toe demo seems to be Othello.
--
Jeff Carter
"Damn it, Jim, I'm an actor, not a doctor."
124
Stéphane Rivière
2024-09-14 16:11:42 UTC
Permalink
Hi Jeffrey,
Post by Jeffrey R.Carter
Interesting. How do you compile for Android/IOS?
There's some confusion, I'm having trouble expressing myself. v22.Gui is
a framework on top of Gnoga, with specific CSS, making it possible to
obtain a responsive and therefore Android/IOS compatible application,
through the smartphone's web browser.

The Ada application with the v22 framework/library is of course
installed on any server/pc.
Post by Jeffrey R.Carter
Incidentally, the screenshot you have for the Tic-Tac-Toe demo seems to be Othello.
Thanks for reporting this error. I'll correct ASAP.
--
Stéphane Rivière
Ile d'Oléron - France
Jeffrey R.Carter
2024-09-14 18:04:02 UTC
Permalink
There's some confusion, I'm having trouble expressing myself. v22.Gui is a
framework on top of Gnoga, with specific CSS, making it possible to obtain a
responsive and therefore Android/IOS compatible application, through the
smartphone's web browser.
I misunderstood. Of course a Gnoga web application can be connected to from any
platform with a browser.
--
Jeff Carter
"Damn it, Jim, I'm an actor, not a doctor."
124
J-P. Rosen
2024-09-12 14:48:40 UTC
Permalink
Researching how to build an HTTP server (serving a website) on a local
machine (MacOS) using AWS (Ada Web Server) and deploy it on a web
hosting provider (e.g. 1dollar-webhosting.com).
Anyone done that? I've searched but could not find.
Adalog's site (https://www.adalog.fr/) is a standalone program written
in Ada with AWS.

So are the sites for the various Ada-Europe conferences (see
https://www.ada-europe.org/conference2024/ for example).

And many others...
Thanks.
_____
Some specific questions on my mind follow.
Is a MacOS host required (e.g. Ultahost 15 euros/month; I'd rather stay
with 1dollar)?
No
If the host runs on Linux then cross-building (from MacOS to Linux)
required, right? GNAT does that, right?
Never tried, but no reason it shouldn't be possible
Or, must the program be built in the host? (Thus requiring GNAT be there.)
That's what I do
The host is already running an HTTP server program (probably Apache).
Must it be turned off? How?
Of course, you cannot have two programs listening on the same port, so
if you want to listen to 80 or 8080, you'd better stop Apache (or any
other program) to do that. As for me, I don't run Apache at all.
In general, can the executable be launched on a VPS (Virtual Private
Server)? Which port?
The port is given by the initial data of AWS
Will dynamic linking work? I'm guessing not, so, static; but then, will
GNAT integrate the right libraries for Linux in the executable?
You just compile your program like any other Ada program
Will "Community GNAT" do? (Instead of GNAT Pro.)
Yes, that's what I do
Are those the right questions?
All questions are right....
Thanks, thanks, thanks, thanks, thanks, thanks and thanks.
You're welcome
--
J-P. Rosen
Adalog
2 rue du Docteur Lombard, 92441 Issy-les-Moulineaux CEDEX
https://www.adalog.fr https://www.adacontrol.fr
DrPi
2024-09-12 14:54:45 UTC
Permalink
Researching how to build an HTTP server (serving a website) on a local
machine (MacOS) using AWS (Ada Web Server) and deploy it on a web
hosting provider (e.g. 1dollar-webhosting.com).
The host is already running an HTTP server program (probably Apache).
Must it be turned off? How?
The usual way is to use Apache (or nginx or another one) as a front end.
Your application uses port 1080 (or something else) and the front end
relays this port to the external 80 port.
This way, the security stuff is manage by the front end, not your
application. You can also run multiple applications, each being
redirected to its domain name/path.
Nioclás Pól Caileán de Ghloucester
2024-09-13 17:36:41 UTC
Permalink
Aonix used Apache. WWW.PTC.com is not saying that it uses AWS. IBM is
using AkamaiGHost. OC Systems Inc (nice company) is using Apache. DDC-I,
Inc. is using nginx. Ada Core is using nginx-rc. WWW.BKsv.com uses
cloudflare. Green Hills Software and Irvine Compiler Corporation are using
Apache. Not good advertisements.

(RR Software, Inc. and Ada-Auth.org use RRS Ada HTTP Server.)

"Marius Alves" wrote yesterday:
"Anyone done that? [. . .]

Thanks.
_____

Some specific questions on my mind follow.

[. . .]

Are those the right questions?

Thanks, thanks, thanks, thanks, thanks, thanks and thanks."

I emailed in July 2010:
"Dear Marius Amado-Alves,

This is serious. I do not ever remember receiving a reply from you to the
email which I had sent for you in March 2008. Perhaps you had replied and
I somehow do not notice. [. . .] So, if you had replied, please advise me
of this. If you had not replied, then please answer: Do you object to
being identified in a paper documenting much of the supposed research
unsuitable for space and SystemC® fraud which I discovered in Pisa, on
account of how unhelpful you were? Do you wish to propose how to phrase a
mention of how you behaved in the paper?"

I ask "Will answers be given?" more fourteen years afterwards.
Loading...