Mbedthis AppWeb™Overview

Mbedthis AppWeb is the industry's first embeddable HTTP web server that has been designed from the start with security in mind. It is a fast, high functionality, small-footprint, standards based embedded web server specifically designed for use by applications and embedded devices.

Why Embed a Web Server?

There are two ways to implement a HTTP web server.

• Create a web application to run with an Enterprise Web server. This presentation layer application then communicates with your "logic" application as required.

• Embed a HTTP web server directly in your application so it becomes a HTTP server itself.

Conventional wisdom has stressed the separation of presentation from logic and this is a good axiom. However, it should be a logical separation and not necessarily a physical separation. In some cases, a physical separation is ideal and it certainly can help to scale-out a large site when used with load balancing. In other cases, the simplicity and performance gains from embedding a web server directly in an application or device make direct embedding a preferred choice. Both approaches are legitimate. Mbedthis AppWeb aims to be the best embeddable HTTP server.

There are many reasons to embed a Web Server. Some examples are:

• You want to ship evaluation copies of your application with a web user interface, but you don't want users to have to modify their enterprise web server configuration just for a trial.

• You want to ship a device appliance and it must be web manageable for all functions.

• You want to web-enable an existing application as quickly as possible and you don't want the complexity of creating a separate web application.

• You want to simplify the deployment of your application so it can be secured and administered at one point. You don't want to separately manage the web presentation and the back-end application.

Who Embeds Web Servers?

There are two classes of users for AppWeb: Enterprise application developers and Device builders and they are riding two key trends:

• Enterprise customers who want applications with web based user interfaces

• Devices and appliances are expected to be web manageable

Should embedding a HTTP server be the right option for you, there are numerous benefits in doing so:

• Simpler design (one process, no IPC, single protocol)

• Easier to secure

• Less code (means less bugs)

• Much easier to create dynamic web content

A Web Server is a Web Server, Right?

An embedded web server has a different set of design goals compared with those of an enterprise web server such as Apache. While both servers receive and respond to the standard HTTP protocol, the design goals and core processing architectures choices are considerably different. Furthermore, the resource demands these web servers impose on a system may be very different. Enterprise web servers typically assume that they are the most important application on the system and often run on a dedicated system. It is acceptable for them to scale to consume available resources to serve incoming requests. In contrast, Embedded web servers assume they are secondary to the essential functions an application or device must perform. As such, embedded web servers must minimize their resource demands and must be deterministic in the load they place on a system.

The key design goals of embedded web servers and AppWeb in particular are to be:

• Easily embeddable in applications and devices

• Easy to configure and administer

• Small memory footprint

• Secure by design and by default

• Deterministic demand on system resources

• No compromise on features

• Open source with commercial license options

AppWeb Components

The AppWeb product includes the following components:

• AppWeb HTTP Server library

• AppWeb HTTP Client library

• AppWeb HTTP server main program

• AppWeb loadable modules for server-side JavaScript, Embedded Server Pages, Embedded Gateway Interface, Common Gateway Interface and Secure Socket Layer

• Documentation

• Samples

• Source code
  

AppWeb Architecture

The core AppWeb HTTP server has been carefully designed to be deterministic in its use of system resources while retaining high performance and minimal footprint. It does this leveraging the following features:

• Portable runtime layer to isolate platform dependencies

• Modular architecture with dynamic module loading

• High performance multithreaded core

• Thread pool for fast thread allocation

• Safe programming layer to prevent buffer overrun exploits and sandboxing to limit resource consumption

• Efficient output data stream buffering

• Apache compatible configuration

• Extensive logging and debug trace

And for those who wish to rebuild AppWeb from source code, AppWeb can be highly optimized by using an an extensive set of compile time options to control what features are included.

Modes of Operation

The Mbedthis AppWeb product is more than just a stand-alone HTTP server. The product includes this base functionality, but it also exposes components so that you may embed the core HTTP server and HTTP client functionality directly in your applications.

For applications, embedding the HTTP server in the application greatly simplifies deployment as there is no separate web application to deploy. For devices, either running a stand-alone server or embedding the server in the device application will work effectively.

Stand-alone HTTP Server

When using AppWeb as a stand-alone server, you can create web user interfaces using several innovative AppWeb technologies and existing standard technologies

• Server-side JavaScript

• Embedded Server Pages™

• Embedded Gateway Interface™

• Open Modular Architecture

• Common Gateway Interface

The AppWeb server runs as a stand-alone program. On Windows, it runs as a system service and on Linux/Unix it runs as a system daemon.

Server-side JavaScript

JavaScript or ECMAScript (ECMA-262) has typically been implemented in the client. However, it is ideally suited for embedded use on the server. AppWeb supports a subset of ECMAScript that is fast and compact.

Embedded Server Pages (ESP)

Embedded Server Pages are server side JavaScripted HTML pages that allow direct binding between the JavaScript procedures and logic routines in your application.

The Embedded Gateway Interface is one of a set of modern replacements for the venerable Common Gateway Interface (CGI). CGI suffers from several deficiencies that make it a poor choice for creating dynamic user interfaces in embedded applications:

• Cannot view the page layout at design time

• Very slow

• Large demand on system resources

• Additional programs and interfaces need securing

The Embedded Server Pages technology remedies these shortcomings by allowing you to use page layout programs such as Dreamweaver while still retaining the ability to generate dynamic content within the page via server-side JavaScripting.

Embedded Gateway Interface (EGI)

The Embedded Gateway Interface is a modern replacement for the Common Gateway Interface (CGI) when it is used to process form data. Using CGI for form data suffers from many of the same deficiencies it exhibits when it is used to generate page data. In addition, it provides a very low level interface that does not assist the developer when decoding query or posted data.

The Embedded Gateway Interface remedies these shortcomings by allowing an equivalent of in-process CGI. Form URLs may be bound directly to EGI code routines that will be called when the form is posted. AppWeb further assists by decoding query arguments and providing hashed lookup to all environment data variables.

Open Modular Architecture

AppWeb supports dynamically loadable modules so that new content handlers, scripting engines and page generation environments can be easily added. The existing mechanisms: ESP and EGI have been developed as loadable modules so that they are only loaded if required. Scripting engines such as PHP are also being created as loadable modules.

Common Gateway Interface (CGI)

Should you need to support existing code bases that use CGI, AppWeb provides a high performance CGI implementation.

Embedding the HTTP Server

When embedding the AppWeb HTTP server in an application, all the features of the stand alone AppWeb server are available. As required the SSL, Authentication, Embedded Server Pages, Embedded Gateway Interface, CGI and other dynamic modules will be loaded into the application.

To embed the AppWeb HTTP server or client in an application is easy and requires from 10 lines of code to integrate and activate. Because AppWeb is configured primarily by using an Apache style ASCII configuration file, initialization by code is not necessary. This also eases administration as the server configuration may be modified in the field if required.

To make AppWeb easy to embed, it supports a wide variety of Programming Paradigms. This includes support for C and C++, single and multithreaded programs and a variety of different event mechanisms.

Threading Model

The AppWeb HTTP server can run either single threaded or multithreaded and the threading mode can be selected at run-time by your application. Further, you can set the number of threads to be used by AppWeb depending on the anticipated scale of your application.

AppWeb can fully expose its event loop if needed so that it can be integrated with existing application event mechanisms. It supports the following event processing mechanisms:

• Polled

• POSIX select

• Service thread

• Windows messages
  

Debugging Support
The AppWeb HTTP server includes a powerful debug logging facility and is fully instrumented to log trace information. This can be invaluable in debugging ESP code logic or new AppWeb handlers that you may have written.

Samples

An extensive suite of samples is provided. See the Programming Samples document for details..

Security

Most HTTP servers have become more secure by a painful process of discovery. While it is no guarantee, developing a HTTP server to be secure by design is easier than trying to engineer security in after the fact. Securing embedded HTTP servers is even more difficult as it must be done without increasing memory footprint or damaging performance.

Mbedthis Portable Runtime (MPR)

AppWeb has been designed to be secure from the foundation by using the Mbedthis Portable Runtime (MPR). The MPR is a cross-platform layer that permits over 97% of the AppWeb code to be portable. It includes a safe string and buffer handling module to help the eliminate buffer overflows that have plagued so many products recently. It also warns when any unsafe (traditional) C API functions are used.

Sandboxing

The AppWeb HTTP server closely controls its use of system resources via a technique known as "sandboxing". This means running the web-server within tightly controlled limits so that script errors or web server bugs will not compromise system operation. AppWeb has also been hardened against several common denial of service attacks.

AppWeb can be configured to:

• Preallocate memory and not grow beyond predefined memory limits

• Reject requests that are too large

• Reject URLs that are too long

• Run single-threaded or use a pool of reusable threads to service requests

• Be run by a designated user account or user group

To build on this foundation, AppWeb provides Secure Sockets Layer and Digest authentication.