Planning an Internet-facing https webserver using uhttpd - comments?
-
Hi all,
After a long break i've ordered an Omega 2Pro for my next project. I want to set up an Internet-facing low-traffic web server using the onboard uhttpd and add a LetsEncrypt cert to it to provide https. This has been inspired by an earlier project based on Piratebox - I ran a DLNA server on a 2+ and it uworked really well. Eventually the device may be solar-powered. From what I've read, i'll probably have to create certs manually on a different machine and copy the certs over.
So, based on your knowledge of these things, should i be using uhttpd in this way? I have extensive experience of lighttpd and nginx, but these would probably be overkill, and i don't need PHP.
Any comments/questions welcome!
-
@peter-garner-0 I have a large number of IoT devices running on Omega2+ and 2S+, so I have agonised over this same questions myself. Initially I used uhttpd for both the LAN and WAN, until my first DDoS attack. uhttpd fell over in seconds, I brought it back up and it fell over immediately, I brought it back up and it fell over in few seconds, I brought it back up and it fell over in a few seconds ... repeat, repeat, repreat....
I quickly configured nginx to face the WAN and reconfigured uhttpd to face the LAN. It took about 15 minutes for the DDoS to bring down nginx , I restarted it several times and each time the DDoS took between 10 and 15 minutes to kill nginx. nginx is architecturally superior IMHO but maybe overkill for many IoT solutions. If you run nginx on Omega you can kill the worker process but you'll notice it has a superviser thread that will kick off a new worker. If you kill uhttpd, it's dead and buried.
Like any network solution it is "horses for courses", I prefer to protect the web server from a DoS/DDoS using the firewall, so the web server can live in nervana. If this is not an option for you I would recommend nginx if you feel that your device will be exposed to the ugly world of the internet.
The price for this additional "security" of service, is a little less RAM and a little less CPU, but IMHO a non-functional device with 100% available RAM and 100% CPU but your app is not functional is about as useful as tits on a bull.
-
@crispyoz Man thanks for this! I get regular DDoS attacks on my other home-hosted servers, so there's no reason to expect my little Onion device to escape, unfortunately.
I'll check out Nginx when I get the 2Pro and I'll also try lighttpd as well as that seems to have a low resource requirement. The device will only be running the web server and SSH so I don't anticipate too many resource issues, but we'll see!
I'll post something here when it's up and running!