When Not to Embed a Web Server in a Device

Embedding a web server in a product is a remarkably powerful mechanism for easily implementing a variety of key features and functions in your device. One of the greatest benefits of an embedded web server is that it resides in the equipment itself and not as a separate software that needs to be installed on a computer. A user can simply use a browser and navigate to the IP address or domain name given to access key features in the product.

In this article, we look into a few use cases where embedding a web server in a product is not the optimal solution, but where a hybrid IoT/cloud solution creates a much better user experience.

In general, an embedded web server is not the optimal solution if:

  1. the product is powered by a small microcontroller such as a Cortex M4 and a secure HTTPS server is needed
  2. the product is deployed within a private network (Intranet) but needs to be accessible from the Internet

1: Embedding Web Servers in Microcontrollers

Products powered by small microcontrollers, such as ARM Cortex M4, that mandate the use of secure HTTPS web servers are problematic since modern web browsers may attempt to pre-allocate as many as 12 connections before sending the first GET request. Each connection requires its own time consuming TLS handshake.

Too many connections from browser

Figure 1: Modern browsers may request more resources than the device can handle.

HTTPS connections are problematic for small devices. Modern browsers may pre-allocate many TLS connections before sending the first GET request. A small WebServer may be designed to handle one connection at a time and this works with non secure HTTP connections, but not with HTTPS connections. The reason it does not work with secure connections is that each SSL connection requires its own time consuming TLS handshake (asymmetric encryption) before it moves up to the HTTP layer. This means that the connections opened by the browser must complete a full TLS handshake, even if they are not used. In particular, some browsers make the handshake very time consuming since they open many connections (pre-allocate TLS connections) without waiting for at least one to complete the handshake so subsequent connections can use TLS session resumption.

The asymmetric encryption used by the TLS handshake is very CPU intensive. A small device can manage one TLS handshake in a reasonable amount of time, but not 12. A device is at the mercy of the browser and has no way of telling the browser that it cannot cope with that many connections. A solution would be to move to HTTP/2, but the HTTP/2 protocol has its own issues and complexities making it unsuitable for small devices.

To remedy this problem, use a WebSocket Server and not a web server.


2: The product is deployed within an Intranet but needs to be accessible from the Internet

Devices and other products with an embedded web server normally operate on private networks such as Intranets. Private networks are not directly accessible via the Internet and are shielded from external Internet access by a firewall/router. For example, even the most basic home router shields any type of server solution from external Internet access.

Firewall blocks external access

Figure 2: External attacker is unable to access embedded web server on private network

In many cases, preventing external access is beneficial since the embedded web server is protected from potentially malicious external users. However, it creates a major problem if the product with the embedded web server needs to be operated from another network via the Internet. This type of remote access could be anything from remote management and supervision to updating the device firmware.

HTTP Behind Firewall the Hard Way:

External access to one web server on a private network is technically possible by opening a pinhole in the firewall. In computer networking, a firewall pinhole is a port that is not protected by a firewall to allow a particular application to gain access to a service on a host in the network protected by the firewall.

Firewall pinhole

Figure 3: External user accessing private web server via firewall pinhole

How to set up a firewall pinhole depends on the firewall product being used. However, regardless of firewall type, setting up a pinhole such as port forwarding is generally complicated and requires extensive network experience. Unless your customers are very tech savvy, setting up port forwarding will be near to impossible for them to configure. Customers deploying your products in corporate environments may have IT personnel with the required expertise, but corporate environments typically ban the use of pinholes.

HTTP Behind Firewall the Easy Way:

SharkTrustX is a free product that automates accessing any number of HTTP servers behind firewalls.

IoT & HTTPS Behind Firewall

Figure 4: Accessing an HTTP server behind a firewall using SharkTrustX.

Additional Embedded Web Server Tutorials

Discover More:

Whether you are a maker, a startup, or a large business, we've got you covered. Please send us an email if you have any questions or if you are unsure on what product to select. We are here to help you find the best solution, and we'd really like to help you with your hardware/software project challenges.


OPC-UA

OPC-UA Client & Server

An easy to use OPC UA stack that enables bridging of OPC-UA enabled industrial products with cloud services, IT, and HTML5 user interfaces.

Edge Controller

Edge Controller

Use our user programmable Edge-Controller as a tool to accelerate development of the next generation industrial edge products and to facilitate rapid IoT and IIoT development.

On-Premises IoT

On-Premises IoT Platform

Learn how to use the Barracuda App Server as your On-Premises IoT Foundation.

Embedded Web Server

Barracuda Embedded Web Server

The compact Web Server C library is included in the Barracuda App Server protocol suite but can also be used standalone.

WebSocket Server

Microcontroller Friendly

The tiny Minnow Server enables modern web server user interfaces to be used as the graphical front end for tiny microcontrollers. Make sure to check out the reference design and the Minnow Server design guide.

WebDAV Server

Network File System

Why use FTP when you can use your device as a secure network drive.

HTTP Client

Secure HTTP Client Library

PikeHTTP is a compact and secure HTTP client C library that greatly simplifies the design of HTTP/REST style apps in C or C++.

WebSocket Client

Microcontroller Friendly

The embedded WebSocket C library lets developers design tiny and secure IoT applications based on the WebSocket protocol.

SMTP Client

Secure Embedded SMTP Library

Send alarms and other notifications from any microcontroller powered product.

Crypto Library

RayCrypto C Library

The RayCrypto engine is an extremely small and fast embedded crypto library designed specifically for embedded resource-constrained devices.

Embedded PKI Service

Automatic SSL Certificate Management for Devices

Real Time Logic's SharkTrust™ service is an automatic Public Key Infrastructure (PKI) solution for products containing an Embedded Web Server.

Modbus

Modbus TCP client

The Modbus client enables bridging of Modbus enabled industrial products with modern IoT devices and HTML5 powered HMIs.

Posted in Whitepapers