Back Midas Rome Roody Rootana
  Root Analyzer Framework  Not logged in ELOG logo
Entry  25 Apr 2022, Marius Koeppel, Suggestion, Support for THttpServer Options 
    Reply  27 Apr 2022, Konstantin Olchanski, Suggestion, Support for THttpServer Options 
       Reply  04 Apr 2023, Marius Koeppel, Suggestion, Support for THttpServer Options 
Message ID: 47     Entry time: 04 Apr 2023     In reply to: 46
Author: Marius Koeppel 
Topic: Suggestion 
Subject: Support for THttpServer Options 
Hi Konstantin,

sorry I did not set the mail notification on on this elog. So I never got the info that you replayed to this topic.
Maybe its also time to have a elog for manalyzer since rootana is not really used anymore.

Following our e-mail conversion I would start with this topic first:

Mail from me: >  Supporting more function of the root browser
Mail from you: > yes, I would like to add/have more code to interact with jsroot. basically jsroot specifies/implements a simple RPC and we should have support for it in manalyzer. (unless your "the root browser" is something else).

> I would like to know your "use case". What different options do you want to use in addition to what's already there?
So the main problem I have in short is that the readwrite flag is not the default in manalyzer. If its set to rw one can simply get histos on custom page via:

let gH = await httpRequest(serverIP + '/PathToHisto/' + '/root.json', 'object');
redraw('NAME', gH, 'hist');

> I must ask because some options are insecure (i.e. exposing the webserver to external connections) and
> while I have no problem with others shooting themselves in the foot, I think they should be warned
> before they do it and I do not want to read it in the news that they did it using a gun I built.
I agree here one needs to at least warn the user what he is going to do now.

 
> > At the moment the manalyzer.cxx only adds the port:
> > 2840: sprintf(str, "http:127.0.0.1:%d?cors", httpPort);
> 
> this is by design. it is only safe to bind thttpserver to localhost, exposing to external connections is not safe. (until somebody
> can review the security situation with the version of civetweb, an antique clone of mongoose, inside ROOT).
I fully agree with having only localhost allowed. My comment was more about the different options like rw, ro etc.

> - threads - I am not sure what the latest thread-safe situation is on ROOT. is it useful to increase number of threads beyond 10?
We never had problems with the performance - but I can not tell for others so better have an option for this so the user can choose?

> - top=name - yes, useful, but I think jsroot overrides that.
Would like to have the option especially when you have multiple analyzers running in the network can get confusing. 

> - auth_file, auth_domain - digest authentication .htdigest file stores passwords effectively as plain text, if you steal the .htdigest file, you 
> can login into the web server (as opposed to stealing /etc/passwd, you cannot login anywhere with it, not until you crack the hashes).
Better not.

> - loopback - this is what I want to enforce
Yes, I agree.

> - debug - could be useful, but is it?
I had it on a couple of times while writing custom pages displaying histograms.

> - websocket - does this do anything useful for us?
I don't think so, but I also never look into it in detail.

> - cors=domain - same as in midas mhttpd, I think we respond with CORS "*", is some other reponse useful?
At the moment we have with sprintf(str, "http:127.0.0.1:%d?cors", httpPort); CORS "*" I think other responses are not super useful.

> - readonly - (is the default?)
This it default at the moment I would also like to have readwrite as default

> - readwrite - I think should be *our* default
Yes.

> - global - (is the default, I agree)
Yes should be default.

> - noglobal - any use case where we may want this?
Maybe when users run into performance issues?

That's all of my thoughts about what setting should be possible.

Best,
Marius
ELOG V3.1.4-2e1708b5