Mongoose Embedded Web Server On FreeBSD

freebsd mongoose Web Server

Install mongoose from the ports mechanism:

# cd /usr/ports/www/mongoose
# make install clean

Install mongoose with the package manager:

# pkg install mongoose
You can start mongoose at boot time by:
# sysrc mongoose_enable=“YES”
If you restart your machine mongoose web server will serve “/var” as an HTTP file sharing on port 8080. You can see the contents of /var by browsing 127.0.01:8080:
# curl 127.0.0.1:8080
And just to make sure that mongoose is up and running issue this command:
# /usr/local/etc/rc.d/mongoose status
Output is:

mongoose is running as pid 4218.  

Or you can find it by listening port:
# sockstat -4l
Output is:

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS  
root mongoose 4218  5  tcp4   *:8080                *:*  

mongoose does not detach from the terminal and uses the current working directory as the web root, unless -r option is specified. It is possible to specify multiple ports to listen on. For example, to make mongoose listen on HTTP port 80 and HTTPS port 443, one should start it as:
# mongoose -s cert.pem -p 80,443s
Unlike other web servers, mongoose does not require CGI scripts to be put in a special directory. CGI scripts can be placed anywhere.

Disable Directory Listing

You can disable directory listing by typing the following:
# mongoose -listening_port 127.0.0.1:80 -enable_directory_listing no

Log Access To Website

This command will log all access to log.txt at the same path as index.html:
# mongoose -listening_port 127.0.0.1:80 -access_log_file log.txt
Logs are like this:

127.0.0.1 - - [19/Nov/2017:20:37:49 +0330] "GET / HTTP/1.1" 304 0 - "Mozilla/5.0 (X11; FreeBSD amd64; rv:56.0) Gecko/20100101 Firefox/56.0"

How To Secure Mongoose Web Server?

There are so many tunning we can add to mongoose but four of them are necessary:

  1. Change running user to www
    # mongoose -listening_port 127.0.0.1:80 -access_log_file log.txt -run_as_user www
    if mongoose crash only mongoose will go down not all server.
  2. Change www permissions to proper value
    # chmod -R -w /usr/local/www
    this command will remove write permission so hacker can’t run shell on your server.
  3. Change www folder owner
    # chown -R www:www /usr/local/www
    only www can add or remove content to this folder.
  4. Access Control List
    # mongoose -listening_port 192.168.1.1:80 -run_as_user www -access_control_list -0.0.0.0/0,+192.168.3.0/24
    this command runs mongoose on 192.168.1.1 port 80 and denies connections from everywhere, except for 192.168.3.1/24.
    Tip: we can’t call this firewall but you can do some tricks.

You can get full edition at:
http://contents.meetbsd.ir/ebook/mongoose_bsdmag.pdf
Or:
https://bsdmag.org/download/openldap-directory-services-freebsd/


enter image description here