Forum

Will Hiwatha ever support configuring a reverse proxy on a unix domain socket instead of only on TCP sockets?

Wondering,
-Aaron Gifford

I think not. What application uses a unix socket for incoming HTTP requests??

Lots of web apps can listen on a loopback IP (127.x.x.x/8) and port OR a unix domains socket. When a FreeBSD server may host different sites on different IPs, it is more secure and easier to configure things securely when the front-end web server communicates with the back-end application server over a unix domain socket than over an IP address, even the loopback IP. Directory permissions can limit access to the socket to just the web server and the application server, whereas it's more difficult to get fine grained permission per-process TCP firewalling of a loopback IP to prevent other processes from getting access to the application server listening on the loopback IP.

-Aaron Gifford

I installed Hiawatha in high hopes I could use it instead of Nginx--but sadly discovered that it currently doesn't support talking to a web server on a Unix domain socket with the reverse proxy feature. I'd love to move from Nginx to Hiawatha as Hiawatha matches my own personal security preference of do-the-minimum-required-securely-and-well without additional unneeded features that only expand the security surface I have to worry about.

-Aaron Gifford

So, Hiawatha should be able to connect to a backend webserver via Unix socket. Correct? So, the ReverseProxy configuration option should be able to accept the path to a file (the Unix socket). Correct?

I have a version ready that supports Unix sockets via the reverse proxy. If you send me an e-mail, I'll reply with a version you can test.

Thank you!

Aaron Gifford
astounding@gmail.com