
Introducing OpenBSD's httpd [pdf] - tosh
http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf
======
mapgrep
Color me old and skeptical about "simple," "lightweight" web servers. Does
anyone else remember when nginx was touted as the "lightweight" replacement
for Apache because Apache was often "overkill"? (e.g.
[http://arstechnica.com/business/2011/11/a-faster-web-
server-...](http://arstechnica.com/business/2011/11/a-faster-web-server-
ripping-out-apache-for-nginx/) )

Now it's this new httpd that is lighter than bloated nginx.

So, maybe nginx and apache and all the other webservers out there are too big
and bloated and sloppy, despite being written by smart people and used to
deliver many many performant websites. That's possible.

But it is also possible that, because programmers love to start from scratch
and reinvent the wheel rather than reading and understanding other people's
code and rather than researching other domains, they tend to create weak web
servers and tout them as "lightweight" until eventually they either die or
evolve to be useful to people who actually understand the nuances of serving
resources over the web, at which point they get accused of "featuritis" and
the cycle repeats.

(See also
[http://www.joelonsoftware.com/articles/fog0000000020.html](http://www.joelonsoftware.com/articles/fog0000000020.html))

~~~
detaro
At least for now they seem to be very fixed on just providing a very basic
server and not trying to cover as many use cases. (see their bugtracker for
what counts as "featuritis":
[https://github.com/reyk/httpd/issues?q=label%3Afeaturitis](https://github.com/reyk/httpd/issues?q=label%3Afeaturitis)
)

~~~
ah-
> I add the label "featuritis" to remind us of extra features (eg. ldap) that
> we reject now but might want to reinspect later.

That sounds absolutely reasonable and like a good policy.

------
nickysielicki
I'm excited. This is perfect for 98% of people. And apache and nginx are
always available for the 2% of people that need to do something more
complicated.

Confs look familiar, and it's lightweight and will be secure. Perfect.

~~~
jedisct1
But no HTTP2.

~~~
nickysielicki
I sincerely doubt HTTP2 qualifies as featuritis.

It's young; not expected to be base until this fall. Give it a few months and
you'll see it in there.

------
imurray
The corresponding paper was posted recently, and there were a lot of comments:
[https://news.ycombinator.com/item?id=9202039](https://news.ycombinator.com/item?id=9202039)

------
riledhel
If you're never going to use this, it's a nice reading anyway. Goes over their
major concerns, their problems with other companies/OSS groups and the design
of their solution.

------
hsivonen
I had hoped that an effort to replace nginx would use Rust and support HTTP/2.

~~~
Sanddancer
Rust doesn't support anywhere near the number of platforms OpenBSD does, and
has portions written under the Apache 2 license, which has terms that the
OpenBSD team disagree with. So the chances of any Rust code ending up in
OpenBSD anytime soon are slim to none.

~~~
kibwen
Correction: all of the Rust compiler is dual-licensed under _both_ MIT and
Apache 2. If you distribute the Rust compiler yourself, this means that you
can pick one license or the other or both. You can also retroactively defer
the choice of license until a legal challenge appears, at which point you can
collapse the license superposition to your liking. This is the whole point of
dual-licensing!

------
tosh
Design and implementation starts at page 9.

------
AceJohnny2
I don't know OpenBSD's history vis-a-vis webservers, and these slides aren't
clear about why they needed to build their own.

As a random guess, is it because Apache focuses on features, nginx on speed,
and OpenBSD wanted a focus on security?

~~~
feld
Apache:

OpenBSD was stuck on Apache 1.3 for ages because the license changes for
Apache 2.0+ was incompatible. They also ended up maintaining their own fork
for quite a while because patches to improve security were not being accepted
upstream (I think)

Nginx:

License is fine, but it's getting feature bloat and the local patchset was
getting unwieldy.

Conclusion: roll your own httpd that way you don't have to deal with this
anymore.

~~~
mlinksva
Not really following OpenBSD, I didn't realize they considered Apache 2
license unacceptable til reading the above. For anyone else curious about the
initial discussion of this, it took me some browsing to find
[http://marc.info/?l=openbsd-
misc&m=107714762916291&w=2](http://marc.info/?l=openbsd-
misc&m=107714762916291&w=2) (2004)

------
talles
> The situation of nginx in OpenBSD frustrated me

What situation?

~~~
notacoward
"It wasn't invented here."

~~~
easytiger
Don't know why you are being downvoted, that is a huge amount of the
motivation behind openbsds innovations.

~~~
nickysielicki
did you even RTFA? They wanted to continue using nginx.

~~~
easytiger
Exactly, they want to appropriate it and improve it in line with their
philospohy. That isn't incompatible with my comment.

~~~
nickysielicki
That would be forking, no?

They're not appropriating it. They're just creating another reverse proxy.

