Linear FastCGI

Overview

This application enable to connect and forward messages to a msgpack-rpc(TCP) server from IE etc. that is unable to use WebSocket protocol.

Notice

Many browsers support WebSocket protocol by default recently, in near future, there'll be no need to use this application.
So we does not update this program unless a big problem occurs.

Build Instructions

Required tools and Dependencies

• xNix based WebServer
  this application works with only xNix based OS.
• autotools and libtool
  aclocal, autoheader, automake, autoconf, libtoolize
• lex and yacc
  flex 2.5.35 or later
  bison 2.4.1 or later
• fastcgi C library
  libfcgi 2.4.0 or later
• Perl Regular Expression library
  libpcre
• lighttpd with mod_websocket(included at this repo)
  use mod_websocket_config_parser lib

HowToMake

$ ./bootstrap
$ ./configure --with-fastcgi[=/path/to/libfcgi]
$ make clean all
$ cp app/linear_fcgi /path/to/cgi-bin/linear.fcgi

Additional Informations

• Basic flow ( C is linear.js and S is a linear.fcgi )
  linear.fcgi uses Content-type: application/javascript for JSONP response.
  So linear.fcgi does not work well in prior to IE8. Refer to this stackoverflow
  

    C                                                             S
    | --- GET                                                     |
    |     /path/to/linear.fcgi?                                   |
    |     c=connect&ch=somechannel&f=callback                 --> |
    | <-- 200 OK                                                  |
    |     body = callback({sid: session-id-created-by-S})     --- |
    | --- POST                                                    |
    |     /path/to/linear.fcgi                                    |
    |     body = {sid: sid-id-created-by-S,                       |
    |             data: base64-encoded-msgpack-rpc}           --> |
    | <-- 204 No Content                                      --- |
    | --- GET                                                     |
    |     /path/to/linear.fcgi?                                   |
    |     c=poll&sid=sid-id-created-by-S&f=callback           --> |
    | <-- 200 OK                                                  |
    |     body = callback({sid: sid-id-created-by-S,              |
    |                      data: base64-encoded-msgpack-rpc}) --- |
    | --- GET                                                     |
    |     /path/to/linear.fcgi?                                   |
    |     c=disconnect&sid=sid-id-created-by-S&f=callback     --> |
    | <-- 200 OK                                                  |
    |     body = callback({sid: session-id-created-by-S})     --- |

• Security consideration

HTTP Response headers

When using linear.fcgi, you should add some HTTP headers.
1. X-Frame-Options
2. X-XSS-Protection
Refer to [List of useful HTTP headers](https://www.owasp.org/index.php/List_of_useful_HTTP_headers)

CSRF

An evil site can't know session id.
And server-side can use origin limitation by configuring websocket.conf for lighttpd.

XSS

linear.js does not use any eval functions.
And linear.js does only pass some json messages to applications.

Authentication

Use {Basic, Digest} auth and use SSL(https) instead of http.

License

The MIT License (MIT)
See LICENSE for details.

And see some submodule LICENSEs(exist at deps dir).