muhttpd

muhttpd

Robbert Haarman

2010-12-11


Introduction

muhttpd (mu HTTP deamon) is a simple but complete web server written in portable ANSI C. It supports static pages, CGI scripts, MIME type based handlers, and HTTPS. It drops privileges before accepting any connections, and it can log received requests. It has been tested on GNU/Linux, NetBSD, FreeBSD, Mac OS X, and Cygwin. It runs successfully on 32 bits and 64 bits, little endian and big endian systems.


Goals

Apart from being a useful web server, muhttpd has three major goals: it is to be

  1. simple,
  2. portable, and
  3. secure.

Simplicity is the main goal. Hopefully, it will be so simple that problems do not come up, but at least it should be simple enough that problems that do occur are easily diagnosed and remedied. Its simple code also makes muhttpd useful as an example of how one can write a simple webserver (although that is probably more true of version 1.0 and earlier than of the current incarnation), as a platform for experimentation with new features, and as a starting point for more complex software.

Another goal of muhttpd is portability. It is intended to be a simple, but basically feature-complete webserver that one can quickly deploy on any given more-or-less POSIX compliant system, be it a simple device running a custom Linux distribution or a big-iron system providing POSIX compliance as just another of its bells and whishles.

Although I am very hesitant to call any program written in C secure, security is always high on my list of priorities. So it is for muhttpd. I pay attention to security issues during development, and I regularly run Splint against the code to find and remove possible weaknesses. The .splintrc file I use specifies weak checking, plus a number of extra checks; the goal is to check everything that splint can check without having to litter the code with splint annotations. A number of possible bugs have been found and fixed already.


Download

Latest Release

The latest release of muhttpd is version 1.1.5, available here: muhttpd-1.1.5.tar.bz2 (17 KB).

Version 1.1.5 is a bugfix release that addresses the following issues:

  • The interaction between the webroot and webdir directives was not described in the manpage
  • The webroot directive didn't actually work
  • Eric Sesterhenn found three resource leaks and contributed a fix (thanks, Eric!)
  • The configuration file parser now supports escape sequences so that, for example, filenames with spaces are now supported

If you are still running a version of muhttpd earlier than 1.1.4, you are strongly recommended to upgrade, because such versions contain multiple directory traversal vulnerabilities.

Subversion

You can get the current development version of muhttpd using Subversion. It is located at http://muhttpd.svn.sourceforge.net/svnroot/muhttpd/current. You can use the following command to check out the source code of the current version:

svn checkout http://muhttpd.svn.sourceforge.net/svnroot/muhttpd/current muhttpd

Installation

muhttpd can be installed using the standard


./configure
make
make install

mantra. Various things can be set by passing arguments to configure, such as the features to compile into muhttpd, which compatibility functions (functions that muhttpd uses, but that are not provided on all systems muhttpd targets) should be compiled in, and installation directories. Please refer to the file INSTALL (included in the distribution) for details.

Once muhttpd is installed, you will want to edit the configuration file (/etc/muhttpd/muhttpd.conf by default). The various directives and their meanings are explained in the manpage, muhttpd.conf(5).