SUMMARY: Web Serving thru the Firewall

From: Dan Penrod (penrod@wcnewmedia.com)
Date: Mon Jan 13 1997 - 13:05:53 CST


Hey Managers:

Thanks very much. I got about 16 replies... several of
which were very interesting!

In brief, the problem was... (Origial query, with diagram, below)
  I have my webserver outside the firewall and my database
  server inside the firewall; which is where all the HTML,
  product data, and CGI procedures come from. All data,
  with the exception of images come from the database server.
  Due to limitations of HTMLs image tag syntax
        <img src="images/myimage.gif">
  how can I store keep my images on the database server
  (with the rest of the data) and get the webserver to be
  able to find it?

--

A number of people wrote to tell me that I'm a bit obsessive with neatness. Apparently a lot of people implement their web sites exactly like this, with most of the data inside the firewall on the database server and their images outside the firewall on the webserver.

To me this model seems very messy and MOST OF ALL is very DIFFICULT to MANAGE. As we get more contracts for more web sites and those web sites get more complex (our web sites are quite complex already) and we start adding redundant web servers (for scalable load demand)... keeping track of where everything is and where it needs to be gets very VERY difficult. For the very same reason we implement a master NIS server (vs duplicate host files and password files on every machine) it seems to me to be far more elegant and easy to manage all of the websites from a single database server. Since we're already storing all of our HTML, CGI procedures, as well as customer pricing and info... all in the database... why not the associated images as well?!?!

This seems like a no-brainer to me... still other disagree... so be it.

*One comment I received repeatedly is that the image tag syntax doesn't have to reference a local file... it can reference any URL... example: <img src="http://database.server.com/images/myimage.gif">

The one complication with this is that I now have advertised to the world a URL thru my firewall to the database server, which I was trying to isolate via the firewall in the first place. We can argue for hours how secure this is...

*Another very common suggestion was to move the webserver behind the firewall, create a hole in the firewall so webviewers can only access port 80:tcp of that webserver, then let the webserver access the images off the database server via NFS remote mounts using the local file image tag syntax. Originally, our firewall vendor suggested it was safer not to let webusers through the firewall which is why we configured our site like we did. ~~~~~~~~ ( T1 to ) ( Internet ) ~ ^ ~ | +--------+ |firewall| +--------+ Port 80 | +------+ +------+ | WWW | | DB | | |-----|Sever |-------------------- LAN Network +------+ +------+

*One person pointed out that since we're using Oracle for our database, webserver, CGI procedures, etc... there is info on exactly how to stream images from an Oracle database out to the Oracle Webserver which you can find here... http://www.onwe.co.za/frank/faqweb.htm#OWA2

*Another similar but more generic example, using a simple Perl CGI script, shows how to essentially imbed the image stream in the HTML. The image source tag references a CGI like this... <img src="/cgi-bin/imagetest.pl"> ..and the Perl CGI script might look something like this... #!/usr/local/bin/perl $img = '/tmp/myimage.gif'; open(IMG, $img); select (STDOUT); $| = 1; print "Content-Type: image/gif\n\n"; print <IMG>; close (IMG); exit(0); The thing to pay attention to here is that the CGI first prints the html type... Content-Type: image/gif\n\n Then it writes the raw contents of the image... GIF89aFd\167\177\177\177\177\177\013\... So the image is effectively imbedded directly into the HTML! This is what I was really looking for and I have to admint I think it's very clever! I was told that this is exacly how server-push is implemented.

There are concerns about performance issues. If we implement one of these last two techniques (either storing it generically on the database servers filesystem or in the database) a web page that displays (for example) 15 images needs to spawn 15 CGI scripts. How slow will that be? What if I now have 15 people hitting that same page at the same time? Am I going to be severely punished for this? I don't know. How would this compare to referencing the images using the local file image tag syntax through NFS? I'm guessing the NFS solution might be faster, but again, I don't know. I wonder which is faster, pulling the images from an NFS filesystem or out of the Oracle database? For that matter, I suppose it would be fastest if I ran the database and the webserver on the same host. I want speed, I want structure, elegance and ease of maintenance, and I want security.

If anyone has further comments, feedback or input I would be very interested.

Meanwhile, I hope others will find this SUMMARY as interesting as I did.

Thanks to the following...

fpardo@tisny.com (Frank Pardo) Stephen Harris <sweh@mpn.com> "Mark P. Beckman" <beckman@bofh.fleet.capital.ge.com Ryan Clutter <Ryan.J.Clutter@nmb.norwest.com> Alex Finkel <afinkel@pfn.com> "Alfredo Sola" <asola@intelideas.com> Rich Kulawiec <rsk@itw.com> Martin Espinoza <drink@sei.com> Michel Pilon <pilonm@CCG.RNCan.gc.ca> "Cooper,Chris" <CCooper@ingenius.com> Stephen Harris <sweh@mpn.com> raju@ecologic.net "Alexander O. Yuriev" <alex@bach.cis.temple.edu> Jeff Duncan <duncan@ao.net> PK Shiu <pk@imperial-consulting.com> Rich Casto <rich@loopexpert.com>

--- Original Query...

Hey Managers:

I need some advice on serving web pages thru the firewall. Here's what we're doing now...

~~~~~~~~ ( T1 to ) ( Internet ) ~ ^ ~ | +------+ | WWW | We're using Oracle Webserver out here. | | +------+ | +--------+ ^ |firewall| | | SQL*NET passes CGI requests and replies +--------+ v through the firewall. | +------+ We're using Oracle Database in here. | DB | |Server|------------------------- LAN Network +------+

All of our HTML is generated on the fly (dynamically) from the database using Oracle's Procedure Builder for the CGI. All of the data (products, prices, etc...) comes out of the data base. This is all passed through the firewall, from DB to WWW, with Oracle SQL*NET.

Where do you think we keep the .GIF and .JPG images????

We keep them out on the exposed WWW instead of behind the firewall in the database with the rest of the data!!!

As a system admin, this drives me nuts! It really seems to me that we would want to keep all the images in the database, or at least on the file system of DB. I would like to see no data out on WWW, just the Webserver software.

The Web programmers insist there's no way around this. They say that due to restrictions of HTML syntax...

ie: <img src="images/myimage.gif">

..the images HAVE to appear on the local filesystem of the Webserver... even if you're pushing dynamically written HTML source (via CGI) from a remote server... the images must already be out on the Webserver.

Seems like I'm looking for a way to stream out the images along with dynamic HTML and data... and maybe embed the image in the HTML somehow... I don't know... see what I'm fishing for here?

For obvious reasons... we don't want to export an NFS filesystem from DB to WWW through the firewall, which might be one possible solution... I suppose we could copy the images out to the WWW filesystem on-demand, and delete them later (maybe with a hourly cronjob or something)... but that seems like a real kludge and would slow down performance.

Has anyone else had to deal with this conundrum? Any elegant solutions?

Thanks, -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | _/ _/_/ _/_/ _/_/ _/_/_/ _/_/_/_/_/ _/_/_/_/| | _/ _/ _/ _/ _/ _/ _/ _/ | | _/ _/ _/ _/ _/ _/ _/_/ _/_/_/ | | _/ _/ _/ _/_/_/_/_/ _/ _/ _/ | |_/_/_/ _/ _/ _/ _/ _/_/_/_/_/ _/_/_/_/_/ | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Dan Penrod - Unix Network Administrator | | Image Technologies - World Color New Media | | 2502 Rocky Point Dr. Suite 200, Tampa, FL 33716 | | vox:813/636-9266 fax:636-0431 penrod@wcnewmedia.com | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:42 CDT