[Dancer-users] Secure http (https) with Dancer

Gurunandan Bhat gbhat at pobox.com
Tue Dec 14 10:55:30 CET 2010 

On Tue, Dec 14, 2010 at 2:38 PM, sawyer x <xsawyerx at gmail.com> wrote:
> The SSL layer on top of HTTP (A.K.A. HTTPS) is handled by the web server.
>
> You'll need to understand about the differences of layers. This is a bit
> long but it will help you.
>
> A bit of theory:
> The specific server that Dancer uses depends on the environment you picked.
> Dancer is PSGI compatible which means you can pick any PSGI server (or
> server that supports PSGI interoperability). That means Twiggy, Starman (the
> common one) or Tatsumaki. There are a few servers for which there is a
> compatibility layer for PSGI, such as Apache or Perlbal (which supports a
> web server, not just a reverse proxy). Apache has support for SSL, so does
> Perlbal. I do believe the others have something along those lines but
> haven't checked.
>
> Dancer uses HTTP::Server::Simple to provide you with an in-house web server
> for development purposes. This means that HTTP::Server::Simple should be
> able to handle SSL in that case, which it does not. However, if you'll read
> the docs, it states that you can provide a connection accept hook to handle
> SSL, such as:
>
>     sub accept_hook {
>         my $self = shift;
>         my $fh   = $self->stdio_handle;
>
>         $self->SUPER::accept_hook(@_);
>
>         my $newfh =
>         IO::Socket::SSL->start_SSL( $fh,
>
>
>             SSL_server    => 1,
>             SSL_use_cert  => 1,
>             SSL_cert_file => 'myserver.crt',
>             SSL_key_file  => 'myserver.key',
>         )
>         or warn "problem setting up SSL socket: " .
> IO::Socket::SSL::errstr();
>
>
>
>         $self->stdio_handle($newfh) if $newfh;
>     }
>
> What to do:
> Either pick a web server that supports SSL (Apache, Perlbal) or put a
> reverse proxy on the front that will serve SSL to the user (Perlbal can do
> that do, Nginx is good at it, there's a few more to choose from).
>
> Don't use HTTP::Server::Simple for production (even though it might seem
> tempting). Do a bit of research and decide what you feel most comfortable
> with.
>
> I personally host a few websites on my server using Apache, so for me the
> best option is always through Apache's FastCGI layer. However, I'm
> considering changing to Nginx in the front (since it's very fast) to provide
> static content and SSL where needed.
>
> Hope this didn't tire you :)
>
> Good luck!
>
> Sawyer.
>

On the contrary Sawyer, thanks for a clear explanation of the issues
involved. Will get back with any questions after I do some research
for what can be done.  Also, the fact that you could use accept_hook
to handle ssl connections in HTTP::Server::Simple was a new learning
for me.

Thank you

More information about the Dancer-users mailing list