Solved

ISAPI, CGI, DSO --- Linux?

Posted on 2004-08-19
10
1,196 Views
Last Modified: 2011-09-20
Good day!

Under Windows I can use Delphi to create an ISAPI dll to run on IIS for the purpose to encrypt and save data to a MySQL database. This is perfect for my purposes, because the actual ISAPI is compiled and the Encryption Algorithm is hidden.

I would like to do the same on Linux with an Apache server and MySQL database.

I have read up allot on the Internet and stumbled onto something called Dynamic Server Ojects (DSO).

Is DSO the Linux equavelant of the Windows ISAPI ?

I read that you can create these DSO's with Kylix. Following the true Spirit of Linux, I would need a free tool that can create these objects, but alas! Kylix is not free! Unless you use the LIMITED FUNCTIONALITY "Open" edition.

My questions are as follows:
- Is DSO the Linux equavelant of the Windows ISAPI ?
- If Linux supports CGI, can a CGI developed under Delphi (Windows) be used on Linux ?
- Any links to free plugins for Kylix Open to be able to create DSO ?
- Any Links to Step-by-Step tutorials on developing DSO / CGI for Linux and how to implement them under Apache 2.0

Thanks in advance!

-RR-
0
Comment
Question by:rogueripper
  • 5
  • 5
10 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 11846724
> Is DSO the Linux equavelant of the Windows ISAPI ?

From the way that I seen ISAPI dlls used I'd say yes. Both are a way to extend the functionality of a web server. Since they are simply a shared library object, loaded on demand by Apache you don't have to use Lylix to create one. They can be written in C/C++ fairly easily (see any of mod_* modules for Apache for examples).

> can a CGI developed under Delphi (Windows) be used on Linux

I'd say no. But one can write a CGI for an Apache server in any language that Linux supports (Bourne shell, Perl, Python, C/C++, etc.).

0
 

Author Comment

by:rogueripper
ID: 11850575
Hi jlevie

Thanx for the HELP!

I discovered the following on http://www.jmaguire.com/

===========================================

HOWTO: Write an Apache2 (DSO) Module in C

It turns out to be extremely easy to write an Apache 2.x.x module in C. Start by creating a simple template for your module on your file system:

# /usr/local/apache2/bin/apxs -n name -g

The above command should output something like the following:

Creating [DIR]  name
Creating [FILE] name/Makefile
Creating [FILE] name/modules.mk
Creating [FILE] name/mod_name.c
Creating [FILE] name/.deps

Next compile the sample module:

# apxs -c -i mod_name.c

After the module has compiled, activate the module in your httpd.conf file by adding the following lines:

LoadModule name_module modules/mod_name.so
<Location /nametest>
     SetHandler name
</Location>

Next restart your webserver:

# /usr/local/apache2/bin/apachectl restart

Finally test your new module:

# lynx -mime_header http://localhost/nametest/

The output should be similar to the following one:

HTTP/1.1 200 OK
Date: Tue, 31 Mar 1998 14:42:22 GMT
Server: Apache/2.0.48 (Unix)
Connection: close
Content-Type: text/html

The sample page from mod_name.c

===========================================

This works!

A few problems though................

How do I receive values from the "POST" or "GET"?
How do I output the HTML to a user?
How do I make a connection to save the data to a MySQL database?
In which file(s) does all my code go into?

I just cant find any tutorials on the web for what I am trying to achieve.

Regards,
-RR-
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11852181
From what I see in the question it sounds like you want to have a web application that gathers some data from a user & encrypts it (how much data?) and stuffs the result into a MySQL database. It also sounds like you want to "protect" the encryption method for data security.

Doing this with a DSO would be the hard way. Personally I'd use  PHP and either one of PHP's encryption functions or call an external compiled program, depending on whether the passphrase for the encryption is fixed or part of the user data. I'd need to know more about the data and how it is used to be able to suggest an encryption method.
0
 

Author Comment

by:rogueripper
ID: 11867776
Hi jlevie

Yes, you are quite right- I would like to gather user information, ecrypt it and store it inside a MySQL database.

The web app. gathers roughly 20 text fields of [1 char min] and [100 chars max].

I wanted to use php to do the ecryption, but (as you noticed) the php script would not be compiled and therefore the encryption method would not be secure. (eventhough the web app. is hosted on a secure server at a webhost- you never know who has access to where!?). For that reason I would have made my own encryption method.

If there is anyway to compile a php script-> that would be super! - but Zend compiler costs a bundle :o(

Thanx jlevie!
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11873654
The security of the data will be determined in part by the encryption method used and in part by where the passphrase comes from. If you use something like 3DES as a method (see PHP's mcrypt docs) it doesn't matter that someone figures out what encryption method is being used. Without the passphrase it would take thousands of years of compute time to break the encryption.

The problem then becomes a matter of securing the passphrase. I'm guessing that you'll be using the same passphrase for all of the data. Ideally that means that the passphrase would not be stored in a file on the server at all, but would be entered when the web server starts and held in memory. While that is practical for a local server it may not be useful on a server at a web hosting authority.  That means that the passphrase will have to reside in a file on the server.

The security of the server is what's of interest in this case. It really doesn't matter if the passphrase is held within compiled code or in plain text. If that file can be accessed by un-authorized users the passphrase can be recovered. Obiously one want's to use a dedicated server in this case because access to the server can be limited. Since a dedicated server only has accounts associated with the web site it can be far more secure than a shared server. The normal security rules  apply; all unnecessary services disabled, only ssh/scp access, all security updates in place, and only accounts for the site admins.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:rogueripper
ID: 11878595
Hi jlevie!

Thankyou so much for all your help through this.

So my conclusions are the following:

I am able to compile a file to encrypt data and connect to a MySQL database, but the work involved would need to be developed in C. ---- ouch!

My website will be hosted on secure servers- I just wanted to take extra precausions to ensure security by compiling the source code somehow. I decided to develop the website using the php encryption functions via mcrypt.

I found these functions straight of the php website (it was written by Mike Zaccari). Are they any good for what I need to do?

////////////////////////////////////////////////////////////////////////////////////////
$key = "Secret Key";

//Encrypt Function
function encrypt($encrypt)
{
global $key;
   $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
   $passcrypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $encrypt, MCRYPT_MODE_ECB, $iv);
   $encode = base64_encode($passcrypt);
   return $encode;
}

//Decrypt Function
function decrypt($decrypt)
{
global $key;
   $decoded = base64_decode($decrypt);
   $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
   $decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $decoded, MCRYPT_MODE_ECB, $iv);
   return $decrypted;
}

////////////////////////////////////////////////////////////////////////////////////////


Thanx again jlevie for all your help!

-rr-
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11880252
They should work, although that isn't the strongest encryption that mcrypt() can do. But then you may not need anything more than that.
0
 

Author Comment

by:rogueripper
ID: 11880332
Hi jlevie

The obvious question:

So what is the strongest encryption that mcrypt can do?

I need this for excrypting sensitive financial information ---- i.e credit card details etc...

Thanx jlevie
0
 
LVL 40

Accepted Solution

by:
jlevie earned 500 total points
ID: 11880530
Triple DES would be the strongest.

> My website will be hosted on secure servers

Is the server dedicated to your site or is it shared with other sites? Personally, there's no way that I'd store sensitive financials on a shred server. There's just too may ways that the data could be compromised. And, I never store that sort of info on a publically accessible server. I use a separate server to store the information that has no direct access to the Internet. And only a limited view of the stored data is visible to the web server (only partial credit card info).
0
 

Author Comment

by:rogueripper
ID: 11892330
Thank you jlevie for all your help!

500 points goes to you for excelant advise!

Maybe some day I could help you with a few answers!

-RR-
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now