I've written a little document that lists the steps I took to get the
following working together:
* Apache 2.x
* Marc Battyani's mod_lisp
* Kevin Rossenberg's cl-modlisp
* Some examples from Peter Seibel's Practical Common Lisp (PCL) Chapter
26
I hope it's at least a little bit helpful to someone. Apologies in
advance for oversights. Critique is appreciated!
http://www.blaino.com/guide/modlisp-pcl-guide.html
- Blaine
Blaine <·············@hotmail.com> wrote:
+---------------
| I've written a little document that lists the steps I took to get the
| following working together:
| * Apache 2.x
| * Marc Battyani's mod_lisp
| * Kevin Rossenberg's cl-modlisp
| * Some examples from Peter Seibel's Practical Common Lisp (PCL) Chapter 26
| I hope it's at least a little bit helpful to someone.
+---------------
Looks useful! Do you know how hard it is to get it to work with
local-domain (a.k.a. Unix-domain) sockets (AF_LOCAL or AF_UNIX)?
Many people prefer to use that when the Lisp process is on the
same server as Apache, to avoid the risks of having yet another
AF_INET socket open (the "port 3000" in your example).
-Rob
-----
Rob Warnock <····@rpw3.org>
627 26th Avenue <URL:http://rpw3.org/>
San Mateo, CA 94403 (650)572-2607
Rob,
Alas, I have no idea what you're talking about, but it does sound like
something I need to know. My colleague has a big stack of Apache books
on her desk. I'll check it out.
- Blaine
Rob Warnock wrote:
> Blaine <·············@hotmail.com> wrote:
> +---------------
> | I've written a little document that lists the steps I took to get the
> | following working together:
> | * Apache 2.x
> | * Marc Battyani's mod_lisp
> | * Kevin Rossenberg's cl-modlisp
> | * Some examples from Peter Seibel's Practical Common Lisp (PCL) Chapter 26
> | I hope it's at least a little bit helpful to someone.
> +---------------
>
> Looks useful! Do you know how hard it is to get it to work with
> local-domain (a.k.a. Unix-domain) sockets (AF_LOCAL or AF_UNIX)?
> Many people prefer to use that when the Lisp process is on the
> same server as Apache, to avoid the risks of having yet another
> AF_INET socket open (the "port 3000" in your example).
>
>
> -Rob
>
> -----
> Rob Warnock <····@rpw3.org>
> 627 26th Avenue <URL:http://rpw3.org/>
> San Mateo, CA 94403 (650)572-2607
Blaine <·············@hotmail.com> wrote:
+---------------
| Rob Warnock wrote:
| > Looks useful! Do you know how hard it is to get it to work with
| > local-domain (a.k.a. Unix-domain) sockets (AF_LOCAL or AF_UNIX)?
| > Many people prefer to use that when the Lisp process is on the
| > same server as Apache, to avoid the risks of having yet another
| > AF_INET socket open (the "port 3000" in your example).
|
| Alas, I have no idea what you're talking about, but it does sound like
| something I need to know. My colleague has a big stack of Apache books
| on her desk. I'll check it out.
+---------------
Local-domain sockets are an operating-system thing rather than an
Apache thing per se, though an Apache module may certainly use them.
With a local-domain socket, both ends of the connection can *only*
be on the same system, and the filesystem namespace is used for
rendezvous rather than IP addresses/ports. See the manpage "unix(4)"
[on BSD, "unix(7)" on Linux]:
The UNIX-domain protocol family is a collection of protocols
that provides local (on-machine) interprocess communication
through the normal socket(2) mechanisms. The UNIX-domain family
supports the SOCK_STREAM and SOCK_DGRAM socket types and uses
filesystem pathnames for addressing.
...
Binding a name to a UNIX-domain socket with bind(2) causes a
socket file to be created in the filesystem. This file is not
removed when the socket is closed -- unlink(2) must be used to
remove the file.
...
Normal filesystem access-control mechanisms are also applied
when referencing pathnames; e.g., the destination of a connect(2)
or sendto(2) must be writable.
Because of this, you can arrange that only local (same machine)
client programs with specific UIDs or GIDs (e.g., Apache, if you
so choose) can connect to your server.
The following may be helpful as well:
http://www.gnu.org/software/libc/manual/html_node/Local-Namespace.html
http://www.gnu.org/software/libc/manual/html_node/Local-Namespace-Concepts.html
-Rob
p.s. Hmmm... Oops! I just looked at <http://www.fractalconcept.com:8000/
public/open-source/mod_lisp/mod_lisp2.c>, and it doesn't appear to support
local-domain sockets. Oh well, never mind... (*sigh*)
-----
Rob Warnock <····@rpw3.org>
627 26th Avenue <URL:http://rpw3.org/>
San Mateo, CA 94403 (650)572-2607
····@rpw3.org (Rob Warnock) writes:
> Blaine <·············@hotmail.com> wrote:
> +---------------
> | Rob Warnock wrote:
> | > Looks useful! Do you know how hard it is to get it to work with
> | > local-domain (a.k.a. Unix-domain) sockets (AF_LOCAL or AF_UNIX)?
> | > Many people prefer to use that when the Lisp process is on the
> | > same server as Apache, to avoid the risks of having yet another
> | > AF_INET socket open (the "port 3000" in your example).
> |
> | Alas, I have no idea what you're talking about, but it does sound like
> | something I need to know. My colleague has a big stack of Apache books
> | on her desk. I'll check it out.
> +---------------
>
> Local-domain sockets are an operating-system thing rather than an
> Apache thing per se, though an Apache module may certainly use them.
> With a local-domain socket, both ends of the connection can *only*
> be on the same system, and the filesystem namespace is used for
> rendezvous rather than IP addresses/ports. See the manpage "unix(4)"
> [on BSD, "unix(7)" on Linux]:
>
> The UNIX-domain protocol family is a collection of protocols
> that provides local (on-machine) interprocess communication
> through the normal socket(2) mechanisms. The UNIX-domain family
> supports the SOCK_STREAM and SOCK_DGRAM socket types and uses
> filesystem pathnames for addressing.
> ...
> Binding a name to a UNIX-domain socket with bind(2) causes a
> socket file to be created in the filesystem. This file is not
> removed when the socket is closed -- unlink(2) must be used to
> remove the file.
> ...
> Normal filesystem access-control mechanisms are also applied
> when referencing pathnames; e.g., the destination of a connect(2)
> or sendto(2) must be writable.
>
> Because of this, you can arrange that only local (same machine)
> client programs with specific UIDs or GIDs (e.g., Apache, if you
> so choose) can connect to your server.
>
> The following may be helpful as well:
>
> http://www.gnu.org/software/libc/manual/html_node/Local-Namespace.html
> http://www.gnu.org/software/libc/manual/html_node/Local-Namespace-Concepts.html
>
>
> -Rob
>
> p.s. Hmmm... Oops! I just looked at <http://www.fractalconcept.com:8000/
> public/open-source/mod_lisp/mod_lisp2.c>, and it doesn't appear to support
> local-domain sockets. Oh well, never mind... (*sigh*)
>
> -----
From memory, cl-sql has two operating modes for postgres and its
probably similar for other databases like mysql. The first method uses
the postgres API and the second uses network ports. Its been a while,
but I think the decision as to which is used depends on the database
descriptor specification used in the connection procedure. I could
easily be wrong as it has been over 12 months since I last used
cl-sql.
Tim
--
tcross (at) rapttech dot com dot au
Tim X <····@nospam.dev.null> wrote:
+---------------
| ····@rpw3.org (Rob Warnock) writes:
| > The following may be helpful as well:
| > http://www.gnu.org/software/libc/manual/html_node/Local-Namespace.html
|
| http://www.gnu.org/software/libc/manual/html_node/Local-Namespace-Concepts.html
+---------------
Yes, well, I assumed he would visit all three links on the first page.
+---------------
| > p.s. Hmmm... Oops! I just looked at <http://www.fractalconcept.com:8000/
| > public/open-source/mod_lisp/mod_lisp2.c>, and it doesn't appear to support
| > local-domain sockets. Oh well, never mind... (*sigh*)
|
| From memory, cl-sql has two operating modes for postgres and its
| probably similar for other databases like mysql. The first method uses
| the postgres API and the second uses network ports.
+---------------
Eric Marsden's PG speaks the PostgreSQL socket protocol directly,
but supports both Internet domain (AF_INET a.k.a. IP/TCP) sockets
and local-domain (AF_LOCAL/AF_UNIX) sockets, depending on the 'host"
parameter you supply. Oh, and by the way, if you use some FFI to the
PostgreSQL library API, you still end up using sockets, since that's
how the C client library talks to the server.
-Rob
-----
Rob Warnock <····@rpw3.org>
627 26th Avenue <URL:http://rpw3.org/>
San Mateo, CA 94403 (650)572-2607
····@rpw3.org (Rob Warnock) writes:
> Blaine <·············@hotmail.com> wrote:
> +---------------
> | I've written a little document that lists the steps I took to get the
> | following working together:
> | * Apache 2.x
> | * Marc Battyani's mod_lisp
> | * Kevin Rossenberg's cl-modlisp
> | * Some examples from Peter Seibel's Practical Common Lisp (PCL) Chapter 26
> | I hope it's at least a little bit helpful to someone.
> +---------------
>
> Looks useful! Do you know how hard it is to get it to work with
> local-domain (a.k.a. Unix-domain) sockets (AF_LOCAL or AF_UNIX)?
> Many people prefer to use that when the Lisp process is on the
> same server as Apache, to avoid the risks of having yet another
> AF_INET socket open (the "port 3000" in your example).
If you trust the other users on your server, and you bind the socket
to the loopback interface, you're not risking anything. I would bet
that cl-modlisp already does this, but if not it should be pretty
simple to change.
Thomas F. Burdick <···@conquest.OCF.Berkeley.EDU> wrote:
+---------------
| ····@rpw3.org (Rob Warnock) writes:
| > Looks useful! Do you know how hard it is to get it to work with
| > local-domain (a.k.a. Unix-domain) sockets (AF_LOCAL or AF_UNIX)?
| > Many people prefer to use that when the Lisp process is on the
| > same server as Apache, to avoid the risks of having yet another
| > AF_INET socket open (the "port 3000" in your example).
|
| If you trust the other users on your server, and you bind the socket
| to the loopback interface, you're not risking anything. I would bet
| that cl-modlisp already does this, but if not it should be pretty
| simple to change.
+---------------
True, but if you *don't* trust the other users on your server,
local-domain sockets can still be used to protect against them.
As it says in "Unix(4) [FreeBSD, or "unix(7)" on Linux]:
Normal filesystem access-control mechanisms are also applied
when referencing pathnames; e.g., the destination of a connect(2)
or sendto(2) must be writable.
[Note: Some operating systems ignore filesytems permissions for
local-domain sockets; in this case controlling access to the
enclosing directory can be used for protection.]
-Rob
-----
Rob Warnock <····@rpw3.org>
627 26th Avenue <URL:http://rpw3.org/>
San Mateo, CA 94403 (650)572-2607
····@rpw3.org (Rob Warnock) writes:
> Thomas F. Burdick <···@conquest.OCF.Berkeley.EDU> wrote:
> +---------------
> | ····@rpw3.org (Rob Warnock) writes:
> | > Looks useful! Do you know how hard it is to get it to work with
> | > local-domain (a.k.a. Unix-domain) sockets (AF_LOCAL or AF_UNIX)?
> | > Many people prefer to use that when the Lisp process is on the
> | > same server as Apache, to avoid the risks of having yet another
> | > AF_INET socket open (the "port 3000" in your example).
> |
> | If you trust the other users on your server, and you bind the socket
> | to the loopback interface, you're not risking anything. I would bet
> | that cl-modlisp already does this, but if not it should be pretty
> | simple to change.
> +---------------
>
> True, but if you *don't* trust the other users on your server,
Then you have a very unusual web hosting setup. Userspace Linux,
FreeBSD jails, and co-lo boxes are so inexpensive nowadays, it's hard
to imagine why you'd have the space and resources to run Apache, and
to develop a Lisp web-app, *and* be sharing your machine with others.
I don't think it's a big problem if a web framework leaves it up to
you to solve that -- they should concentrate on the normal case, and
making the framework easy to hack for weirdos with crazy setups.
(I actually did have to develop a web application for deployment on a
shared-user system a few years ago, and even then it was getting absurd.)
> local-domain sockets can still be used to protect against them.
> As it says in "Unix(4) [FreeBSD, or "unix(7)" on Linux]:
>
> Normal filesystem access-control mechanisms are also applied
> when referencing pathnames; e.g., the destination of a connect(2)
> or sendto(2) must be writable.
>
> [Note: Some operating systems ignore filesytems permissions for
> local-domain sockets; in this case controlling access to the
> enclosing directory can be used for protection.]
Yes, they work quite nicely in a Unix-friendly manner, quite unlike
inet sockets. And not just the semantics for read/write/connect, but
it's nice having non-crazy rules about who can bind what.