Skip to content

Latest commit

 

History

History
83 lines (73 loc) · 3.63 KB

README.md

File metadata and controls

83 lines (73 loc) · 3.63 KB

Linear FastCGI

Overview

This application enable to connect and forward messages to a msgpack-rpc(TCP) server from IE etc. that is unable to use WebSocket protocol.

Notice

Many browsers support WebSocket protocol by default recently, in near future, there'll be no need to use this application.
So we does not update this program unless a big problem occurs.

Build Instructions

Required tools and Dependencies

  • xNix based WebServer
    this application works with only xNix based OS.
  • autotools and libtool
    aclocal, autoheader, automake, autoconf, libtoolize
  • lex and yacc
    flex 2.5.35 or later
    bison 2.4.1 or later
  • fastcgi C library
    libfcgi 2.4.0 or later
  • Perl Regular Expression library
    libpcre
  • lighttpd with mod_websocket(included at this repo)
    use mod_websocket_config_parser lib

HowToMake

$ ./bootstrap
$ ./configure --with-fastcgi[=/path/to/libfcgi]
$ make clean all
$ cp app/linear_fcgi /path/to/cgi-bin/linear.fcgi

Additional Informations

  • Basic flow ( C is linear.js and S is a linear.fcgi )
    linear.fcgi uses Content-type: application/javascript for JSONP response.
    So linear.fcgi does not work well in prior to IE8. Refer to this stackoverflow
    C                                                             S
    | --- GET                                                     |
    |     /path/to/linear.fcgi?                                   |
    |     c=connect&ch=somechannel&f=callback                 --> |
    | <-- 200 OK                                                  |
    |     body = callback({sid: session-id-created-by-S})     --- |
    | --- POST                                                    |
    |     /path/to/linear.fcgi                                    |
    |     body = {sid: sid-id-created-by-S,                       |
    |             data: base64-encoded-msgpack-rpc}           --> |
    | <-- 204 No Content                                      --- |
    | --- GET                                                     |
    |     /path/to/linear.fcgi?                                   |
    |     c=poll&sid=sid-id-created-by-S&f=callback           --> |
    | <-- 200 OK                                                  |
    |     body = callback({sid: sid-id-created-by-S,              |
    |                      data: base64-encoded-msgpack-rpc}) --- |
    | --- GET                                                     |
    |     /path/to/linear.fcgi?                                   |
    |     c=disconnect&sid=sid-id-created-by-S&f=callback     --> |
    | <-- 200 OK                                                  |
    |     body = callback({sid: session-id-created-by-S})     --- |

  • Security consideration
HTTP Response headers
When using linear.fcgi, you should add some HTTP headers.
1. X-Frame-Options
2. X-XSS-Protection
Refer to [List of useful HTTP headers](https://www.owasp.org/index.php/List_of_useful_HTTP_headers)
CSRF
An evil site can't know session id.
And server-side can use origin limitation by configuring websocket.conf for lighttpd.
XSS
linear.js does not use any eval functions.
And linear.js does only pass some json messages to applications.
Authentication
Use {Basic, Digest} auth and use SSL(https) instead of http.

License

The MIT License (MIT)
See LICENSE for details.

And see some submodule LICENSEs(exist at deps dir).