Lighttpd Modules I'd Like to See

Submitted by lalee on Wed, 11/07/2007 - 13:02

Lighttpd

I fully admit it: I really hate deploying the Apache Webserver. It's a convoluted mish-mash of modules and versions that miraculously get bundled up into a source-code tarball for developers to work with. Seriously, who's got the time to deal with lengthy manuals and fine-tuning all the gory details? While the Apache Webserver is considered the big 800-Pound Gorilla in this industry, a developer needs to ask: how many websites and software projects really need all that powerful configurability?

Thankfully, there are a lot of slimmer, light-weight alternatives that simply do the job of serving static webpages, and are still capable of proxying dynamic content requests to Web Applications. Lighttpd is one such alternative, and is the favorite of many active Ruby on Rails developers in the Rails Community.

There's still a lot that could be added to Lighttpd in order to make it a REALLY appealing lightweight replacement for the Apache Webserver, and these are some of the modules I'd like to see built in order to make that a reality some day. If I have the time and resources, I'd like to personally explore options and build some of these modules:

NTLM Authentication (aka "Integrated Windows Authentication")

Lighttpd needs to behave well in a Microsoft environment, and silently accept the User's Credentials. This is particularly important for web applications that have some sort of Access Control or Audit Trail.

Subversion-compatible WebDAV Operations

There is partial WebDAV support in Lighttpd that (I believe) is just enough to support tools like Microsoft FrontPage. (Good grief, is anyone still using that atrocity in this day and age? Yikes!!) Subversion is a fantastic revision-control suite, in which the repositories can be served via Apache WebServer and the Subversion-specific extensions to their WebDAV module. For me, Lighttpd's inability to natively host a Subversion Repository is the only reason why I continue to keep Apache Webserver around on some of my Internet Servers.

NTLM Authentication for Lighttpd

I took a stab at this, but my last few weekends were tied up. There are two versions that I'll be working on, if nobody else finishes them before I do. :o) The first version is VERY TRIVIAL and just gets the user-id credentials from the Browser. (Ignoring the Triple-DES encrypted password). It's intended to scratch the NTLM-Authentication itch and allow Lighttpd to do an NTLM-ish authentication. You'd still need to use the Lighttpd-supported backends like htpasswd.

The next version is more ambitious and "functionally correct". It'll talk to a Domain Controller (or at least a Windows machine) and proxy the credentials between the user's web browser and itself. The nonce used for the Triple-DES encryption is generated by the Domain Controller, so there's no risk of a "man in the middle" attack. We'll still inspect the user's credentials, but we'll only trust them if the Domain Controller tells us that the user is authenticated.

Beyond that, maybe a future version will query the Domain Controller for the NT Groups that the user belongs to. Lighttpd itself doesn't yet implement Groups, though, so I'm going to hold off on that. I figure Lightty's LDAP implementation is slated for Group support. With that in mind, I'll wait to see how that looks and then add my NTLM enhancements to that.

There are no definite timelines on this yet, as I'm totally swamped between work and these personal projects. (Lots of stuff to get out of the way for Xbox Fedora, for starters.. *sigh*) The first phase is really *REALLY* trivial to build, though.. shouldn't take more than 3 days of dedicated effort to develop - with most of the effort in TESTING the darn thing..

About the best estimate I can give for this module would be in mid March for the Trivial version; then mid April for the "Correct" version. (Assuming all goes smoothly with XFedora5..)

Subversion Webdav Module for Lighttpd

I'd *LOVE* to be able to ditch the bloat of Apache2 in favor of running Subversion under Lighttpd. This way, I'd have all the benefits of Subversion, all while having all the gory Authentication handled by the Web Server implementation. It is one of the two barriers that prevent me from achieving my ideal environment.

Surely, I'm not the only one thinking this, so I'm hoping that someone else is working on this. The only reason I'm working out the NTLM authentication stuff now is because I had worked on similar NTLM authentication stuff for my SSH Tunnel to go through a Microsoft Proxy Server.

User Comments and Feedback

Comment by mike503@gmail.com on Wed Nov 7 15:02:22 2007

I would really really like the NTLM module that talks to a domain controller to be completed. What can we do to rally support/get you motivated? Want cash? :P

Add new comment


	#1Submitted by cw (not verified) on Mon, 09/22/2008 - 07:12. Did you ever get anywhere Did you ever get anywhere with this? I'd like to have the basic "get credentials" version for something I'm working on. Thanks. reply

About Me

Laurence A. Lee

View My Complete Profile
View My Hawaii Blog
Contact Me

Working With Rails - Recommend Me

Who Am I?
I am an independent, freelance Technical Solutions Architect (i.e. a Software Engineer on Steroids).

Hire Me
I am available for work on Ruby on Rails projects. I am also available for other Sponsored Projects, such as directed R&D (Research and Development), writing Technical Articles, or anything else I can apply my awesome brain to. If it can be done, I can identify, prototype, and document the right combination of technologies to make it happen. Feel free to contact me about your needs.

An Aspiring Book Author
I have written several HOWTO Guides, and hope to one day write a Book that is published by Pragmatic Programmers, O'Reilly Safari Books, or any other large, respected Publishing House.

www.not404.com

Navigation

Other Useful Sites

Syndicate