On Thu, 25 May 2017 21:08:26 +0200, Jacob Carlborg wrote:

On 2017-05-25 12:50, Evgeniy wrote:

Hello. I'm somewhat newbie to the web development and gather information about how things are done.

Imagine the web project where the web server dynamically generates the majority of content and delivers it to the users by means of Ajax requests (or websockets). I.e. static content is a minority.

In such conditions would it be ok to avoid running the nginx in frond of vibe.d and instead directly expose vibe.d to the world?
In what problems can it result?
Is it secure enough?
Does vibe.d tolerate the slow connection attack?
Where the vibe.d vulnerabilities are tracked and reported?

I would not recommend doing that. nginx is a more mature and battle
tested web server.

/Jacob Carlborg

Seconded. vibe.d has some basic counter measures, such as request time and size limits, but there are definitely still scenarios in which it is vulnerable.

Besides DoS attacks, the code should be pretty solid w.r.t. buffer overflow and remote code execution attacks. Certain types of other attacks require some work in the application itself (e.g. CSRF attacks), regardless of the public HTTP server.

Having said that, Nginx is of course also no guarantee against (D)DoS attacks, so if that is a realistic scenario, other measures may be in order anyway.

Finally, it should be mentioned that there is one nasty issue in Linux, where sometimes an exception would either cause the process to hang at 100% CPU or it bails out with an error message. I'm hitting this issue on a vibe.d based reverse proxy that serves HTTPS. This is likely happening there, because there are relatively many exceptions caused by clients failing the TLS handshake.

Security issues are handled through the regular GitHub issue tracker.