[Dancer-users] Secure http (https) with Dancer

sawyer x xsawyerx at gmail.com
Tue Dec 14 10:08:04 CET 2010 

The SSL layer on top of HTTP (A.K.A. HTTPS) is handled by the web server.

You'll need to understand about the differences of layers. This is a bit
long but it will help you.

*A bit of theory:*
The specific server that Dancer uses depends on the environment you picked.
Dancer is PSGI compatible which means you can pick any PSGI server (or
server that supports PSGI interoperability). That means Twiggy, Starman (the
common one) or Tatsumaki.* *There are a few servers for which there is a
compatibility layer for PSGI, such as Apache or Perlbal (which supports a
web server, not just a reverse proxy). Apache has support for SSL, so does
Perlbal. I do believe the others have something along those lines but
haven't checked.

Dancer uses HTTP::Server::Simple to provide you with an in-house web server
for development purposes. This means that HTTP::Server::Simple should be
able to handle SSL in that case, which it does not. However, if you'll read
the docs, it states that you can provide a connection accept hook to handle
SSL, such as:

    sub accept_hook {
        my $self = shift;
        my $fh   = $self->stdio_handle;

        $self->SUPER::accept_hook(@_);

        my $newfh =
        IO::Socket::SSL->start_SSL( $fh,

            SSL_server    => 1,
            SSL_use_cert  => 1,
            SSL_cert_file => 'myserver.crt',
            SSL_key_file  => 'myserver.key',
        )
        or warn "problem setting up SSL socket: " . IO::Socket::SSL::errstr();

        $self->stdio_handle($newfh) if $newfh;
    }


*What to do:*
Either pick a web server that supports SSL (Apache, Perlbal) or put a
reverse proxy on the front that will serve SSL to the user (Perlbal can do
that do, Nginx is good at it, there's a few more to choose from).

Don't use HTTP::Server::Simple for production (even though it might seem
tempting). Do a bit of research and decide what you feel most comfortable
with.

I personally host a few websites on my server using Apache, so for me the
best option is always through Apache's FastCGI layer. However, I'm
considering changing to Nginx in the front (since it's very fast) to provide
static content and SSL where needed.

Hope this didn't tire you :)

Good luck!

Sawyer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.backup-manager.org/pipermail/dancer-users/attachments/20101214/3670d314/attachment.htm>

More information about the Dancer-users mailing list