upvote

points

by ptx18 hours ago |
comments
upvoteby nobody4214 hours ago|
next
[-]
Memory safety is good, but does not protect from every threat. In this day and age infrastructure operators should familiarize themselves with proactive defenses, MAC: SElinux and AppArmor. It required much friction earlier, but there are more tools to ease the usage today.

https://presentations.nordisch.org/apparmor/

https://github.com/nobody43/apparmor-profiles/blob/master/ng...

https://github.com/nobody43/apparmor-suggest

Disclaimer: I'm the author of both repos.

reply
upvoteby dgellow17 hours ago|
prev|
next
[-]
Any software used at the scale of Apache and nginx will have a history of vulnerabilities. The fact they both survived with their market share for so long is a good sign
reply
upvoteby ptx16 hours ago|
parent|
[-]
Right, that's essentially what I'm thinking.

On the one hand Apache and Nginx are mature and proven but, being written in C, they will always suffer from memory-safety issues like this one and the recent Apache vulnerabilities.

On the other hand, the alternatives are perhaps not as mature and perhaps not implemented as securely as they could be, given that e.g. Caddy had multiple vulnerabilities in its request parsing this year and Jetty's shell injection vulnerability seems easily foreseeable and avoidable. Using a memory-safe language doesn't help much if you then (to take an unrelated but well-known example) implement arbitrary code execution as a feature in the logging library.

reply
upvoteby GoblinSlayer3 hours ago|
parent|
[-]
LDAP feature can be removed from log4j, but buffers can't be removed from nginx. Technically, bounds checking can be implemented, but presumably nginx has no plans for it, because it's anathema.
reply
upvoteby embedding-shape18 hours ago|
prev|
next
[-]
Caddy been a breeze to use, bit sucky model with "we have thousands of binaries depending on what combination of plugins you want" instead of a proper plugin system, but if you're building it from source, it's pretty nifty and simple anyways.
reply
upvoteby eikenberry17 hours ago|
parent|
next
[-]
Recompiling with the features you want is a great model for a free software project. So much simpler to write and maintain compared to a plugin system that it really makes more sense in a lot of cases.
reply
upvoteby seanw44414 hours ago|
parent|
[-]
Can often also be noticeably more performant.
reply
upvoteby pjmlp6 hours ago|
parent|
prev|
next
[-]
That is a consequence of static linking, and an abandoned plugin package that hasn't yet been removed due to backwards compatibility.

People keep forgetting that with static linking they are back to 1980's IPC for application extensions, or building from scratch every time they need to reconfigure the application.

reply
upvoteby sharperguy14 hours ago|
parent|
prev|
next
[-]
I've switched to using traefik from caddy. For simple use cases it's a little more verbose in the configuration, but for more involved things like multiple load balancing backends, rewriting paths and headers and so on I've found it really good.
reply
upvoteby vbernat16 hours ago|
parent|
prev|
next
[-]
nginx had this defect for a long time too!
reply
upvoteby dboreham15 hours ago|
parent|
prev|
[-]
Go doesn't support runtime linking, which is why "no plugins" (even though Go docs claim it does, no it doesn't).
reply
upvoteby toast016 hours ago|
prev|
next
[-]
Apache and I think Nginx have a huge list of features and stuff. Most alternate http servers limit the scope a lot, so you'd need to specify what features you're interested in.

But I haven't seen a whole lot of discussion of http servers in memory safe languages. The big three C-based servers: Apache, Nginx, and lighttpd are all pretty solid... I don't think there's a lot of people interested in giving that up for a new project just because of the language.

I'll also add that when you pick up most memory safe languages, you're also picking up their sometimes extensive runtime / virtual machine and all the accoutrements. A Java webserver probably uses log4j because any random Java project probably does, etc.

reply
upvoteby GoblinSlayer3 hours ago|
prev|
next
[-]
nginx just has logical errors in addition to buffer overflows, e.g. CVE-2026-42946.
reply
upvoteby owenthejumper10 hours ago|
prev|
next
[-]
for LB use cases, HAProxy is doing really well
reply
upvoteby 16 hours ago|
prev|
[-]
deleted
reply