TinyWeb is intended to be a simple Win32 daemon for regular (TCP/http) and secure (SSL/TLS/https) web servers. TinyWeb is written by Max Masyutin (max@ritlabs.com) using Delphi. Source code is also provided.
This program is FREE for commercial and non-commercial use. The only restriction is that copyright holder must be attributed with the development of this code. See the LICENCE file for more details. Well, as this has been in essence an unpaid effort there is no guarantee of support (you get what you pay for :-), however I do undertake a limited amount of consulting.
This program may be freely distributed, provided the distribution package is not modified. No person or company may charge a fee for the distribution of this program without written permission of the copyright holder.
TinyWeb is extremely small (executable file size is 53K), simple (no any configuration except command line) and fast (consumes as little system memory and CPU resources as possible). TinyWeb installs in minutes and maintains a low-memory profile.
TinyWeb has got five-star rating at ZDNet HotFiles
| Target | c:\www\bin\tiny.exe c:\www\root |
| Start In | c:\www\log |
c:\www\bin\tiny.exe is the path to TinyWeb executable, c:\www\root is the path to www home (root) directory, and c:\www\log is the directory for log files TinyWeb keeps.
TinyWeb is neither windowed nor console application, moreover, it is not a Windows Service. Once started, tiny.exe will appear in Task List. There is no way to stop Tiny Web except End Task operation.
Run TinyWeb on port 8000 and address 212.56.194.250:
c:\www\bin\tiny.exe c:\www\root 8000 212.56.194.250
Path to home directory is taken from command line as a first parameter. The second parameter is bind-port and the third is bind-address, both are optional, don't use them if unsure.
The default directory root file name is index.html. If index.html file is not found in a directory, TinyWEB then looks for index.htm. If none of these two files are found, a file with name index and extension from PATHEXT environment variable is executed as a CGI from cgi-bin directory. If you have no such files in cgi-bin, make sure that index.html or index.htm exist in the directory first command line paramenter points to. Please refer to error_log in case of any troubles. The only GET, HEAD and POST commands are handled.
The following environment variables are passed to application:
To learn more about CGI, please visit http://hoohoo.ncsa.uiuc.edu/cgi/.
CGI interface was tested with ActivePerl for NT, which is available at http://www.activestate.com/
CGI application are being executed from /cgi-bin/ directory only.
The samples to test CGI are provided in cgitest.zip package within TinyWeb archive.
Note that TinyWeb extracts content-types, associated to file extensions, and script interpreters (e.g. Perl) form Windows Registry, so make sure that .html, .htm, .pl are registered file types. It means that I recommend to use .pl as an extension for CGI-scripts written in Perl.
The information is being taken from registry (to TinyWeb's cache) on TinyWeb's startup, so if you made some content-type or file-assotiation-related changes of registry, you must reload TinyWeb in order to take effect.
TinyWeb keeps Apache-compatible The Common Logfile Format log files: access_log, agent_log, referer_log and error_log, which can be analyzed by any compatible log analyzer, eg:
If some of them do not do what you want, let me know! You can also try some of the other log analysis tools. Consult the Yahoo guide for a list.
Logs are kept in a derectory from that TinyWeb was started. Make sure that "Start In" directory of TinyWeb properties is set properly.
Please note that TinyWeb doesn't support W3C's Extended Log File Format.
http://www.ritlabs.com/ or http://www.ritlabs.com/tinyweb/.
In that case TinyWEB first looks for index.html or index.html and then runs a file with name index and extension from PATHEXT environment variable. For example, if PATHEXT is set to .pl and /tinyweb/ is requested, /cgi-bin/tinyweb/index.pl will be run.
TinySSL is a Secure Sockets Layer (SSL v2/v3) and Transport Layer Security Web Server Daemon based on TinyWeb. TinySSL comes under the same licence as for TinyWEB and is FREE for commercial and non-commercial use. Source code is not provided but you can obtain it for a small fee of $49, thus you will not only be donating to the author but will also support further TinyWEB/TinySSL development. You will also be able to compile TinyWEB with Basic Access Authentication (rfc-2068). Just include your check or money order made payable to CIFNet, Inc. and mail it to: 2545 W. Peterson Ave. Suite 209, Chicago, IL 60659.
TinySSL versions up to 1.7 were using SSLeay library which is a free implementation of Netscape's Secure Socket Layer written by Eric Young (eay@cryptsoft.com), please visit SSLeay FAQ at http://www.psy.uq.edu.au/~ftp/Crypto/ for a lot of useful information about SSLeay.
TinySSL versions 1.8 and later are using OpenSSL which is a successor of SSLeay.
We do run TinySSL on a secure server certified by Thawte at https://support.ritlabs.com/
In order to initiatine a SSL-connection, the secure server must have a certificate or, in other words, Digital ID (there is a good Information Desk on that at Verisign and FAQ on Cryptography at RSA). The client can (and probably should) have a certificate. TinySSL does not currently provide client-certificate verifications.
First of all, you must generate your secure server's RSA private key. For that, feed .rnd file with lots of interesting and varied data, that would be used for key generation. .rnd is unformatted file, size don't care. You can copy a wav-file with digitized noize to it, or just a text-file with randomly-typed words and phrases.
To generate a key, type:
openssl genrsa -rand .rnd -out key.pem 1024
This command sequence will generate a 1024-bit RSA private key and store it in the file key.pem. The key should look like:
-----BEGIN RSA PRIVATE KEY----- MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg== -----END RSA PRIVATE KEY-----
Remember, that your secure server certificate (Digital ID) will be useless without the key.
Then you should generate your Certificate Signing Request (CSR). The CSR is what contains the name information for the certificate (Country, State/Province, City, Organization, Division, Web Server Domain Name, etc). It also contains your public key. The formats of certificate and CSR used by TinySSL are the same as for Apache-SSL. CSR should be sent for verification to Certificate Authority (CA) e.g. to Verisign (www.verisign.com) or Thawte (www.thawte.com). Thawte has issued a certificate for TinySSL without any problem, we use it at https://support.ritlabs.com/. Verisign are now signing certificate requests for Apache-SSL, more details are online. After verification you will probably receive the certificate.
To generate your CSR, run:
openssl req -new -key key.pem -out req.pem -config openssl.cnf
This command sequence will prompt you for the attributes of your certificate. Remember to give the secure server domain name when you would be prompted for "Common Name".
The request (saved to req.pem file) should look like:
-----BEGIN CERTIFICATE REQUEST----- MIIBGzCBxgIBADBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEa MBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0 2NNtXrT8odkCAwEAATANBgkqhkiG9w0BAQQFAANBAC5JBTeji7RosqMaUIDzIW13 oO6+kPhx9fXSpMFHIsY3aH92Milkov/2A4SuZTcnv/P6+8klmS0EaiUKcRzak4E= -----END CERTIFICATE REQUEST-----
You will now have a private key in key.pem and a CSR in req.pem
Make sure to store key.pem in a safe place. You will need the key to operate your secure server when CA issue your certificate. Note, that it is very important to backup the private key that corresponds to the certificate you purchased. Without the private key the certificate is quite useless. For good security reasons the most of CA's are unable to reissue certificates arbitrarily if you cannot access your private key!
Then send req.pem to CA.
Upon reception of a signed certificate from CA, put it to cert.pem.
The certificate should look like:
-----BEGIN CERTIFICATE----- MIICLjCCAZcCAQEwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD dp7jnmWZwKZ9cXsNUS2o4OL07qOk2HOywC0YsNZQsOBu1CBTYYkIefDiKFL1zQHh 8lwwNd4NP+OE3NzUNkCfh4DnFfg9WHkXUlD5UpxNRJ4gJA== -----END CERTIFICATE-----
You can also generate a temporary but ready to use untrusted test certificate by running:
openssl req -new -key key.pem -out cert.pem -x509 -config openssl.cnf
There is also a good temporary untrusted test certificate generator at http://www.cryptsoft.com/~tjh/usercert.cgi. Also, you can get a free trial secure server certificate from Verisign at http://digitalid.verisign.com/test_server_ids.html (choose Apache-SSL or any compatible server) or from Thawte at https://www.thawte.com/cgi/server/test.exe (chose Generate an X.509v3 certificate & Use the most basic format).
We do run TinySSL on a secure server certified by Thawte. If you enter https://support.ritlabs.com/, you would be able to see the following:
|
This Certificate belongs to:
support.ritlabs.com support@ritlabs.com RIT Research Labs RITLABS S.R.L. Chisinau, MD |
This Certificate was issued by:
Thawte Server CA server-certs@thawte.com Certification Services Division Thawte Consulting cc Cape Town, Western Cape, ZA |
realms.cfg file. There are MD5/DES-hybrid hashes (also may be called digests) that allow avoiding cleartext reusable passwords to be stored in realms.cfg file.
Each line of the file describes a single realm and has the following format:
ListOfURLs RealmName User1 User2 User3 User4 ....
ListOfURLs is a list of URLs (pipe-seperated) belonging to specified realm, RealmName is name of the realm as per rfc-2068 and UserN is user name and hash of a password. To produce a hash, run str2key.exe utility, passing password as a command line parameter (no space characters are allowed). As you see, you may assign several users and URLs to an realm.
If you do not need access authentication, simply leave realms.cfg empty (but do not even think to delete it). The sample file with two realms looks like this:
/cgi-bin/*|/view.html|/edit.html Operations mickey|7a4064683b98bf5e donald|f8ea4654643e75f8 /photos.html Photos ronnie|4f1fab620816ea8a coolman|f1578aa107bc4aefHere
mickey and donald users will have access to Operations realm and will be able to retrieve /cgi-bin/*, /view.html and /edit.html; ronnie and coolman users will have access to Photos realm with /photos.html.
str2key.exe utility produces a hash in the following steps: applies MD5 algorinthm to a password string; resulting 128 bits are split on two 64-bit blocks, 56 bits from one block is used as a DES key to ECB-encrypt 64 bits of another block; 64 bits produced by DES ecnryption are taken as hash.
Changing of realms.cfg without restarting server is allowed. TinySSL will reload the file if it was modified since last load.
Before starting TinySSL, make shure key.pem, cert.pem, .rnd and realms.cfg files are in the same directory with TinySSL.exe.
Run TinySSL.exe with the same parameters as needed for tiny.exe.
| Q? | When I use my browser to show me my home page it displays its source, i.e. with HTML tags. My browser also reports that the Content-Type of the document is "text/plain", whereas on other home pages I noticed that it is "text/html". Have you any ideas why this is, and what I can do to put it right? |
| A: | As stated above, TinyWeb uses Window Registry to obtain the information about content-types, file extensions, and script interpreters. If your registry does not contain the information about content-types, try to fill the basic minimum of HKEY_CLASSES_ROOT values by installing web.reg. To install the file, download it into a temporary directory and open the file by double-clicking on its icon. If you want to check the contents of the file, to ensure that they are safe, right-click the file and select "Edit" from the context-menu.
|
| Q? | I compiled a CGI script written in C as a DOS-application. Why does TinyWeb not execute it? |
| A: | DOS-based CGI scripts are not supported. Try to compile the script for Win32. |
| Q? | Does TinyWEB support SSI (Server-Side Includes)? |
| A: | No. There are good docs on NCSA SSI and Apache SSI, explaining SSI concepts, though. |
| Q? | I just made my homepage and launched TinyWeb. What should I enter in my browser's location field to access my site locally? |
| A: | http://localhost/ |
| Q? | I was able to view it as "http://localhost/", but I couldn't figure out how to make an internet host address (ex: http://www.ritlabs.com). Can you help? |
| A: | Please contact your Internet Service Provider or Network Administrator. |
| Q? | What is the difference between TinyWeb and TinySSL? |
| A: | There is no difference except TinyWeb uses generic TCP connection while TinySSL adds a Secure Socket Layer to a TCP connection. Thus TinyWeb is an http daemon while TinySSL is an https daemon. |
| Q? | What editor did you use to create this HTML page? |
| A: | I've used FAR © 1996-99 Eugene Roshal. |
| Q? | Is it possible to run both HTTP and HTTPS servers on the same machine (or several concurrently running servers for diffferent addresses/ports on the same machine)? |
| A: | Yes, but if you start them in a same directory they will have the same set of log files and will cease to work. Run them from different directories, i.e. each server from it's own directory. |
| Q? | I believe what I am missing is in the area of PATHEXT variable which is mentioned in your help area. Any assistance in getting this working would be appreciated. Can you help?
|
| A: | The NT command-line shell uses the PATHEXT environment variable to determine which files it treats as commands. This variable holds a semicolon-separated list of file extensions for command files. By default it has the value ".com;.exe;.bat;.cmd", meaning that, as one would expect, executable programs and batch files are treated as commands. By adding .pl extension to this list you can treat Perl scripts as commands, allowing to run Perl scripts using CGI instead of index.html.
|
gethostbyname().PATH_INFO & PATH_TRANSLATED CGI variables.
WaitForInputIdle() call to prevent from running GUI applications as CGI.
TCollector.Collect routine, it's now 100 times (or even more) faster.
TinyWeb ver 1.8 (71K)
TinySSL ver 1.8 (449K)
 HomepageDos Navigator |
ArgusThe Bat! |
Copyright © 1997-2000 RITLABS S.R.L. All rights reserved.