thttpd - tiny/turbo/throttling HTTP server was #7 thttpd is a simple, small, portable, fast, and secure HTTP server available from Acme.com, The ACME Labs freeware library, think of Wile E. Coyote and the Road Runner. Web Server Comparisons from: http://acme.com/software/thttpd/benchmarks.html last updated 12jul98. software name: thttpd Apache version: 2.03 1.3.0 released: 11jul98 05jun98 active devel: yes yes features model: select pre-fork auto conf: yes yes basic auth: yes yes chroot: yes no throttling: yes no size tar bytes: 406,016 4,925,440 source files: 20 149 source lines: 7,229 73,381 exe: 49,584 397,152 RPS - maximum requests per second. This is determined by running the test load at various parallel-request rates and finding the maximum response rate. Small files - the small-file test load consists of 1000 files, each 1KB long, requested randomly. 720 250 CGI - the CGI test load consists of a trivial "hello world" C program. 100 90 Max users - maximum number of simultaneous users that can be handled. This is determined by running the test load at various parallel-request rates and seeing when it starts screwing up. Typical screw ups are running out of memory or processes, so that requests start timing out or getting refused. Large files - the large-file test load consists of 100 files, each 1MB long, requested randomly. Also, each connection is throttled to simulate a 33.6Kbps modem. Note that 1000 33.6Kbps connections is 3/4 of a T3. 1000+ 150 Notes: Software - which web server. Name - the name of the server. Version - the version tested here. Released - when it was released. Active devel - whether it is currently under development. Features - some key server features. Model - what kind of server it is. The models are: fork - start a new process for each request. pre-fork - pre-start a pool of processes which each handle multiple requests. threads - use threads instead of processes. Java threads - this version of the Java runtime uses "Green threads" instead of native threads, so it acts more like the select-based servers. select - use non-blocking I/O and the select() system call to handle multiple requests in a single process, single thread. Auto-conf - whether there's a script to automatically configure the build process for your OS. Basic auth - whether the server supports Basic Authentication, for password-protected web pages. Chroot - whether the server lets you use the chroot() system call to enhance security. Throttling - the ability to set bandwidth limits on certain pages, so they don't use more than their fair share of the server's resources. Size - various sizes of parts of the server Tar bytes - the uncompressed source tarchive size. Source files - how many source and header files. Source lines - how many lines in the source and header files. Exe - the executable size. For the compiled program this is size of the main executable file, stripped. The benchmark test system is a 297MHz Ultra Sparc with 256MB RAM / 512MB swap running Solaris 2.6, otherwise totally quiescent. RLIMIT_NOFILE is 256 soft / 1024 hard, and v.v_maxup is 3941. The test loads were generated on a separate machine connected via 100 Megabit ethernet (12jul98). The test client is http_load, doing multiple requests in parallel, with check summing enabled. All the test runs were done at least twice on different days, and all the shapes and inflection points etc. proved to be completely repeatable. All programs are in their out-of-box configuration, except as needed for the tests (e.g. enabling CGI). * With the Raspberry Pi 3s and 4s being much faster than the computers from 1998 and having the capability to run either 32 or 64 bit OSs and a 1 gigabit ethernet connection, even though the 3s are limited to less, it will be interesting to see how much better the benchmarks are for these computers when running thttpd and Apache. Back in 2004, when I was trying to set up a World Wide Web site, I tried Apache and didn't make it through the config file. Some how I ran across "thttpd" from Acme.com and in no time I had a secure World Wide Web site up and running. My config file for thttpd is: 1 # /usr/local/www/thttpd_config 2 dir=/usr/local/www 3 chroot #chroot jail 4 data_dir=users 5 #vhost # if you use a domain name you will have to uncomment (remove the # at the beginning) and then make a "user" directory using your external IPv4 address (xxx.xxx.xxx.xxx) and inside this directory make symbolic links back up to your other files in "users" (../"user-name"). 6 cgipat=**.cgi 7 logfile=/usr/local/www/logs/thttpd_log 8 pidfile=/var/run/thttpd.pid 9 # The vhost line is there because using vhost will add an extra field to the address which shows up in the log file. thttpd is safe enough that even a 3rd or 4th grader should be able to set up a World Wide Web server that is bullet proof! since the files are read only out of the box. thttpd is also able to run CGI programs which could open up the site to being compromised. I have manually loaded my log files for my web site, http://162.250.19.7/ac0xl/logs/, which is running on a Raspberry Pi 3B and using a 1TB 3.0 USB hard drive, so one can see what type of pounding a web site connected to the internet is likely to receive! My internet connection is throttled to 2 megabits/sec download and 1 megabits/sec upload since it is the entry level package. thttpd will restart in 10 seconds when the process is ended, and that is how the log rotate program starts the next log file: date >> thttpd_log w >> thttpd_log mv thttpd_log thttpd_log.01 date > thttpd_log w >> thttpd_log kill -usr1 `cat /var/run/thttpd.pid` # I have set up thttpd to automatically start when the computer comes on and just turn off the TV monitor so the computer can run 24/7. When I want to see if the computer is still running or to move the log files and see what has happened, I turn on the TV and then hit the shift key, space bar, or move the mouse to get the display to come back on the TV. I tried to make the install easy enough a 3rd or 4th grader should be able to install thttpd and have it running right by using "copy and paste" instructions. All of the directions are included in "freedom.zip" http://162.250.19.7/freedom/freedom.zip which will unzip into the "freedom" directory. I feel thttpd is a fantastic HTTP WWW server which the beginner can start with and copy the files they want onto the web, and then learn how to make html web pages as they learn. With thttpd running on a Raspberry Pi one can have the ethernet port set up as a static IP address and the Wi-Fi address dynamically loaded by the DHCP Server. This would let a class "C" IP address be able to handle a classroom of 250 people to be connected to each other! In this way the students can compare their different sites and get ideas of how to make their site better. The files in "freedom": 2010Website.pdf - Can you light up dark fiber? 2019-09-05-Project.txt - Bible passages, King Na'vukhadnetzar's dream of the "One World Governments," the last of "seven communities" in "Revelation" - moving from the "world" to the "local community," then to the "individual" in "John," and finally "the battle is yours." You can have your own "World Wide Web Server"! You don't have to worry about being "BANNED!" from someone else’s web site! 2019-10-01-website.txt - A little bit about my websites starting with the one in 2005, information on setting the router, and what one would need for a web site. 2019-11-26-web-server.txt - "thttpd" from Acme.com, is a simple bullet proof, from both internal and external attacks, HTTP web server that will work on a Raspberry Pi or almost any other linux based computer that even a third or fourth grader should be able to install. There are those that would like everyone to think that a web server is expensive and takes a lot of knowledge to run, so "buy your web hosting from our service," when in reality, it probably will not cost very much more than one is now spending on their internet connection, and one will be in control of everything that is on their website. 2019-12-06-Google-Search-Is-Broken.txt - The U.S. Government along with Google, and most of the world have abandoned HTTP for HTTPS. I believe most, if not all of the security problems with HTTP do not come from HTTP but from the Domain Name Service (DNS) which looks up the domain name and returns the IP address so the connection can be made. The DNS can be considered to be a phone book for the internet. With phones being landlines, Plain Old Telephone Service (POTS), the phone companies made phone books so their service could be used. With cell phones, there are no phone books. One has to gather the numbers they need and put them into their own phone book. The new thing is DoH (DNS over HTTPS) which is supposed to secure DNS. When Google, or some other entity decides to shut down the internet, all they have to do is turn off DNS and all of the domain names will go nowhere! Using HTTP with an IP address (http://xxx.xxx.xxx.xxx/ where xxx is a number between 0 - 255) will still work because IP addresses are basically hard wired! I have never used a domain name on any of my websites. 2019-12-26-Installing-thttpd.txt - When I printed this file it was 26 pages long, with 1478 lines, some of which wrap several times. The lines are numbered so one can see where they are. For the beginner one might want to print the file and check off the lines as they proceed. (320) My system for the install is an Intel Atom N270, 1 GB Memory, 250 GB HDD Dual booting with Windows 7. The Raspberry Pi will show as an ARM processor. So you have an idea of what to expect, I am including all of the printout that happens in each step. 358-360 checking ... system type will show "ARM something" for a Raspberry Pi and everything should complete OK. The steps are: (355) 1. ./configure (421) 2. make (496) 3. sudo make install So you can see the computer will generate several pages by itself as it builds the program for your processor. Look at my website http://162.250.19.7/ to get an idea of how thttpd works and how fast it runs, basically limited to 1 megabits/sec, since that is my upload speed. The old web pages are under "ac0xl/www/" which are not the greatest but some of my early pages. Since SD cards have only a limited amount of writes, it is best to move the OS from the SD card onto a hard drive when your web site goes live. Clicking the two dots ".." will take one up one level. Sample log entries: 35.224.226.217 - - [09/Jun/2020:19:38:12 +0000] "GET / HTTP/1.0" 200 25000 "" "mas scan/1.0 (https://GitHub.com/robertdavidgraham/masscan)" 167.99.40.21 - - [10/Jun/2020:05:12:24 +0000] "GET / HTTP/1.0" 200 25000 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" 204.48.16.150 - - [10/Jun/2020:21:05:48 +0000] "GET / HTTP/1.0" 200 25000 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" 191.252.193.79 - - [11/Jun/2020:06:43:28 +0000] "GET / HTTP/1.0" 200 25000 "" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" MASSCAN: Mass IP port scanner masscan(8) -- Fast scan of the Internet DESCRIPTION masscan is an Internet-scale port scanner, useful for large scale surveys of the Internet, or of internal networks. While the default transmit rate is only 100 packets/second, it can optional go as fast as 25 million packets/second, a rate sufficient to scan the Internet in 3 minutes for one port. Older write ups of this site showed that a 1 gigabit Internet connection could scan the Internet in 45 minutes for one port! Can you imagine a Raspberry Pi 4B doing that feat? http://162.250.19.7/freedom/freedom.zip Power to the People of the World! Build your own Bullet Proof World Wide Web Server!, and don’t be BANNED! Frank Anderson, ac0xl *