Forum

Hi Hugo et all,

Just wanted to check if hiawatha fastcgi implementation supports ssl sockets ie. connection to remote fastcgi server through ssl? I could surely build a test app, but just though to save the trouble and ask before coding anything.

Thanks for the 7.0, works real well.

Cheers,

Peter


Hiawatha version: Latest
Operating System:

Hi Hugo,

I think this should be moved to feature requests.
I believe it is important to have a possibility to set the hiawatha fastCGI to connect to remote tcp/ip socket over SSL as well. Now the browser connection to hiawatha server can protected, but the requests from hiawatha webserver to fastCGI servers move over tcp/ip unencrypted.

This would make developing FastCGI applications with Hiawatha an excellent choice.

Regards,
Peter

Hiawatha does not support SSL connections to FastCGI applications. For performance reasons, it is wise to keep the FastCGI application servers close to your webserver, in the same server rack that is. Because of that, SSL encryption of those connections doesn't make it more secure.

Hi Hugo,

I have a bit of a different opinion. If you have your fastCGI servers connected to the public internet and you are running hiawatha webserver load-balancing the FastCGI connections to those servers, there is always a risk that unencrypted fastcgi records can be captured and clearly seen between hiawatha and fastcgi servers.

There are surely other solutions like tunneling, VLAN etc.. that could be used to protect the connections between hiawatha and fastcgi servers. Unless the hiawatha server and fastcgi socket is running in the same physical server (connecting using localhost or ipc), one should not rely on hiawatha protection only, there needs to be extra care taken when using fastcgi between different servers.

Should hiawatha support secure fastcgi connections, it would be a great webserver for fastcgi developers.

Regards,

Peter

A FastCGI application should never be publicly connected to the internet, because FastCGI has no support for authorization and authentication. If you do, hackers can bypass the security offered by the webserver by directly connecting to the FastCGI application. If you place the FastCGI application on a different machine then the webserver machine itself, place those FastCGI machines close to your webserver (inside the same DMZ for example). Connect those via a LAN connection or cross-link cables for optimal performance. If you do so, those FastCGI packets cannot be captured by hackers and therefor SSL does not improve security. It will only give unnecessary overhead.