Nginx is 11 years old and faced similar skepticism from many people in 2002 who made statements about how feature-packed, stable and popular Apache was.
I've been using Harp for about 3 months and really like the sweet spot they have found between a bucket of static files and a full-blown web app stack. It's a very new paradigm and you probably need to try it to fully appreciate it.
So far we don't deal with the authoring abstraction layer. Our focus is on solving deployment by automating performance optimization like asset bundling, caching & CDN integration.
The big vision is to provide static hosting for the programmable web. We make HTML forms work and provide an API for sending the input wherever you want. This OAuth2 based API also handles deploying sites, injecting code snippets, and updating individual files.
The real moonshot here is developing a standard similar to JSON Patch for updating HTML via PATCH requests. If Harp, or anyone reading this is interested in this idea, we'd love to collaborate on developing a spec.
One interesting LESS feature I found when we were evaluating it for letting some users use it for customization: it can evaluate arbitrary Javascript and open and embed files. Just in case you thought it was some pure transformative shorthand CSS syntax.
Of course, letting users upload arbitrary CSS served from your domain is an XSS-level risk, but let's say you let each user have his own domain and let them upload .less files.
Or you have a say, node.js APP that lets a user enter LESS and spit out the -- escaped -- CSS.
When compiled with lessc 1.4.2, this embeds the contents of that file as base64.
Also, with 1.3.x."@import" lets you open any filename and insert it, but it's required to be valid .less. I suppose you could try to @import /dev/random or urandom although I don't know if there's any practical attack surface for decreasing entropy. I don't think I could offhand find a valid file.
However in the theorethical web page evaluating .less, the error output will contain the contents of the file @imported.
Oh, and the evaluation of Javascript... I couldn't make it do much useful, as it seems there's some kind of limited JS environment that code executes in. The worst I could do was:
div {
background: `process.kill(-1, "SIGKIL")`;
}
The "fs" object does not seem to exist there, but I don't know enough about node.js/V8 environment to see whether there's equivalent of jailbreaks.
So, uh, don't compile arbitrary LESS files and send users their output, and LESS files someone sends you or checks into a project can kill your processes (at least).
In 2013, does it make sense to put each user in a docker/lxc container? I don't know the resource overhead, but I'd hope/expect that it would be within tolerances.
Then you can have rich features like includes without worrying about file-based info leak. (cpu-timing attacks are perhaps another kettle of fish).
"Build on request" is a good idea. We do something similar in our stack: tup[0] as the (insanely fast) build system, and developer VMs run mitmproxy[1] on port 8080 which runs tup before every request.
I prefer this style of a setup to coupling them together a-la Harp. If the webserver doesn't work out, I can swap it out. Same with the build system. Tying them together makes me antsy. And for good reason I think: since 2004, we have switched from Apache -> Lighttpd -> Nginx, and have switched from custom shell scripts -> Make -> Tup (with some fabricate.py, and with calls out to other build systems like Leiningen)
As a sidenote, I appreciate the sense of humor that the tup author has:
"In a typical build system, the dependency arrows go down. Although this is the way they would naturally go due to gravity, it is unfortunately also where the enemy's gate is. ... In tup, the arrows go up. This is obviously true because it rhymes."
"<diagram of tup vs make> See the difference? The arrows go up."
I don't see this as tying it to the web server. You're not using some custom language that only Harp supports. If you need to switch to a completely static site, you can still use Harp to generate the static site. If you can't use Harp at all, there are several other static generators out there that support those formats.
Yes, the lazy compile (JIT) or "build on request" as you put it plays a huge factor when it comes to performance. Because it doesn't rebuild the world each time there is a change it is able to expend the cpu cycles when it matters most.
Under the hood we have the HTTP and the precompiling system decoupled. The precompiling is done with a library called Terraform which acts as a uniform source agnostic compiler. Harp wraps this with a HTTP layer and and SSG layer. See https://github.com/sintaxi/terraform
Reminds me of Middleman (http://middlemanapp.com/) and of my own https://github.com/stdbrouw/draughtsman, which has sadly languished. I've found it indispensable for prototyping, not just because of the precompilation but also because it'll search for metadata on the filesystem that you can use to flesh out those prototypes with real data.
middleman is fantastic. It does all this from what I can tell, and has an amazing plugin system, with plugins written for things like livereload so when I save a file, it re-pregenerates it and reloads my browser. It's SUCH a nice workflow especially for smaller sites.
That Rails vs. Angular graph would sure be useful in arguing for a move away from Rails, except that it's unsourced and unitless on the Y axis. I'd love to know how it was generated and from what data, so I can make one that represents the same information in a way that's suitable for my purposes.
Not really. Those data points are independent. A lot of people use Angular and Rails together. Rails still provides a nice controller and model layer for an API.
This doesn't seem to be on the right level of abstraction - why replacing the entire web server, adding dynamic translating (compilation) as a main feature?
I look at it this way, we basically have two types of web servers, static and full-stack web frameworks. What if all you want is a static web server but you need a way for your files to share a common layout? If you don't have any server side compilation a full-stack framework is overkill. We could use a static site generator such as Jekyll and then put behind a static web server but now we have ugly urls, no 404 pages, and way more dependencies than needed.
The simple fact is a static web site on its own is not good enough but its 95% there. Using a full-stack framework is overkill, and needing an Static Site Generator just seems counter productive when considering simplicity is one of the biggest upsides to shipping static assets.
There is no good reason for static web servers to do a little extra for you like smarter redirects, clean urls, layouts/partials. This makes sense to me considering the direction we are headed.
"The obvous question with building front-end applications is where does the state live? Fortunately there are many services ..." Does any body know what is a great solution for simple Contact Forms?
I like the idea, but I don't understand the problem they're trying to solve. For example I have an app using node as the backend behind nginx and ember as the front end.
Right now I'm using grunt to precompile my app to plan old HTML / JS /CSS but there are modules for node that can also compile and cache for me, Either way, I don't have to mess with something that works (NGINX)
Configuring Grunt to do this every time you want to ship a web app seems like a path to insanity to me. Also, NGINX doesn't by default give you clean urls and 404 fallbacks. Web frameworks do this for you and IMHO It's time static servers do as well.
Regenerating all the assets every time there is a change just feels sloppy to me. Also, I think it is asking a lot from novice developers to setup these configuration files and the knowledge one needs to have to do it effectively is a needless burden on someone who specializes on front-end development.
No disrespect to NGINX. Its too busy powering the internet to be concerned with these problems :)
I currently have Grunt + the RequireJS Optimizer building ~5 js files from 20+ AMD modules. So, with harp I would move that build script away from my app and into Harp? Sounds very interesting, but does this separate the application from the build script?
Less/Sass seems easy, but I'd like to see more regarding JS build/min/concatenation scripts in Harp. Or is this not its goal?
We use Harp to power our development platform that has Dropbox integration. It is currently in public Beta and I'll definitely be talking about it in the future.
There is no mention of it in my article because we didn't want our business to get in the way of the open source initiative. We believe in Tim O'Reilly's guidance "Create More Value Than You Capture".
So this is like Apache's mod_* but for modern things. Sounds neat. One of the things I like most about the Play Framework is that it autocompiles LESS, CoffeeScript and Scala on refresh. Extending that concept to more languages is a good thing.
I think the big challenge will be with the languages themselves. LESS, Stylus, CoffeeScript, and Jade are all implemented in JavaScript. Finding C implementations would be tough. Though SASS has a C implementation.
Does Harp have livereload support? Kill all the refresh buttons (for dev)! That would be my only must have for using a different dev server than grunt based for JS app dev
For all skeptics, this can actually make lot sense with the current service-oriented web.
Actually, this is where I tried to go with Punch(http://laktek.github.com/punch) too. Vast majority of the content in web can essentially be static, it's just the minor inconveniences of plugging data sources, updating and managing them is what should be addressed.
I have been using simple Node HTTP server to fulfill my small need[http://stackoverflow.com/a/13635318]. And of course, Node's event-driven architecture will help Harp. But, I think Nginx or Apache is quite featured web server you are trying to replace.
I am using docpad (http://docpad.org/) and I want to try mimosa (http://mimosa.io/). Does Harp compete with this frameworks? I would appreciate any comments on this because I might consider Harp as another option.
This seems like a less mature and more opinionated edition of DocPad? - http://docpad.org
I find it hard to understand why one would use this over DocPad... Can someone fill me in, I'm curious to know what the interest is about in case I'm missing something!
[+] [-] crabasa|12 years ago|reply
I've been using Harp for about 3 months and really like the sweet spot they have found between a bucket of static files and a full-blown web app stack. It's a very new paradigm and you probably need to try it to fully appreciate it.
[+] [-] ruemic|12 years ago|reply
https://www.bitballoon.com
So far we don't deal with the authoring abstraction layer. Our focus is on solving deployment by automating performance optimization like asset bundling, caching & CDN integration.
The big vision is to provide static hosting for the programmable web. We make HTML forms work and provide an API for sending the input wherever you want. This OAuth2 based API also handles deploying sites, injecting code snippets, and updating individual files.
The real moonshot here is developing a standard similar to JSON Patch for updating HTML via PATCH requests. If Harp, or anyone reading this is interested in this idea, we'd love to collaborate on developing a spec.
[+] [-] Erwin|12 years ago|reply
Of course, letting users upload arbitrary CSS served from your domain is an XSS-level risk, but let's say you let each user have his own domain and let them upload .less files.
Or you have a say, node.js APP that lets a user enter LESS and spit out the -- escaped -- CSS.
Now they can do:
When compiled with lessc 1.4.2, this embeds the contents of that file as base64.Also, with 1.3.x."@import" lets you open any filename and insert it, but it's required to be valid .less. I suppose you could try to @import /dev/random or urandom although I don't know if there's any practical attack surface for decreasing entropy. I don't think I could offhand find a valid file.
However in the theorethical web page evaluating .less, the error output will contain the contents of the file @imported.
Oh, and the evaluation of Javascript... I couldn't make it do much useful, as it seems there's some kind of limited JS environment that code executes in. The worst I could do was:
The "fs" object does not seem to exist there, but I don't know enough about node.js/V8 environment to see whether there's equivalent of jailbreaks.So, uh, don't compile arbitrary LESS files and send users their output, and LESS files someone sends you or checks into a project can kill your processes (at least).
[+] [-] jbert|12 years ago|reply
Then you can have rich features like includes without worrying about file-based info leak. (cpu-timing attacks are perhaps another kettle of fish).
[+] [-] chrismonsanto|12 years ago|reply
I prefer this style of a setup to coupling them together a-la Harp. If the webserver doesn't work out, I can swap it out. Same with the build system. Tying them together makes me antsy. And for good reason I think: since 2004, we have switched from Apache -> Lighttpd -> Nginx, and have switched from custom shell scripts -> Make -> Tup (with some fabricate.py, and with calls out to other build systems like Leiningen)
[0] http://gittup.org/tup/
[1] http://mitmproxy.org/
[+] [-] makmanalp|12 years ago|reply
"In a typical build system, the dependency arrows go down. Although this is the way they would naturally go due to gravity, it is unfortunately also where the enemy's gate is. ... In tup, the arrows go up. This is obviously true because it rhymes."
"<diagram of tup vs make> See the difference? The arrows go up."
http://gittup.org/tup/tup_vs_mordor.html
[+] [-] mratzloff|12 years ago|reply
[+] [-] sintaxi|12 years ago|reply
Yes, the lazy compile (JIT) or "build on request" as you put it plays a huge factor when it comes to performance. Because it doesn't rebuild the world each time there is a change it is able to expend the cpu cycles when it matters most.
Under the hood we have the HTTP and the precompiling system decoupled. The precompiling is done with a library called Terraform which acts as a uniform source agnostic compiler. Harp wraps this with a HTTP layer and and SSG layer. See https://github.com/sintaxi/terraform
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] dkoch|12 years ago|reply
Let the code breath a little -- no whitespace around control structures is a bit jarring:
Instead: Maybe adopt this Node style guide: http://nodeguide.com/style.html[+] [-] sintaxi|12 years ago|reply
[+] [-] aaronem|12 years ago|reply
A strong statement whose motivation escapes me; it's not as though you can't trivially get the source of the extension in your REPL of choice.
[+] [-] stdbrouw|12 years ago|reply
[+] [-] subpixel|12 years ago|reply
[+] [-] anko|12 years ago|reply
[+] [-] aaronem|12 years ago|reply
[+] [-] phamilton|12 years ago|reply
[+] [-] sintaxi|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] tsenkov|12 years ago|reply
[+] [-] sintaxi|12 years ago|reply
The simple fact is a static web site on its own is not good enough but its 95% there. Using a full-stack framework is overkill, and needing an Static Site Generator just seems counter productive when considering simplicity is one of the biggest upsides to shipping static assets.
There is no good reason for static web servers to do a little extra for you like smarter redirects, clean urls, layouts/partials. This makes sense to me considering the direction we are headed.
[+] [-] lobster_johnson|12 years ago|reply
[+] [-] elyase|12 years ago|reply
[+] [-] nikolaplejic|12 years ago|reply
[+] [-] bobfunk|12 years ago|reply
[+] [-] edude03|12 years ago|reply
Right now I'm using grunt to precompile my app to plan old HTML / JS /CSS but there are modules for node that can also compile and cache for me, Either way, I don't have to mess with something that works (NGINX)
[+] [-] sintaxi|12 years ago|reply
Regenerating all the assets every time there is a change just feels sloppy to me. Also, I think it is asking a lot from novice developers to setup these configuration files and the knowledge one needs to have to do it effectively is a needless burden on someone who specializes on front-end development.
No disrespect to NGINX. Its too busy powering the internet to be concerned with these problems :)
[+] [-] heme|12 years ago|reply
Less/Sass seems easy, but I'd like to see more regarding JS build/min/concatenation scripts in Harp. Or is this not its goal?
[+] [-] salehenrahman|12 years ago|reply
For now, I use Wintersmith. It supports Jade and Markdown out of the box, and you can extend it by writing plugins.
I wrote one to help me "load" dependencies, without having to use <script> tags. I use Devon Govett's importer[1] for that.
[1] https://github.com/devongovett/importer
[+] [-] rcsorensen|12 years ago|reply
The most horrible thing about trying to build out Node.js applications these days is wishing for the Rails asset pipeline.
http://harpjs.com/docs/environment/lib looks like it should make it very possible to tie this up next to rendr and get the best of all worlds.
[+] [-] quarterto|12 years ago|reply
[+] [-] AhtiK|12 years ago|reply
[+] [-] sintaxi|12 years ago|reply
We use Harp to power our development platform that has Dropbox integration. It is currently in public Beta and I'll definitely be talking about it in the future.
There is no mention of it in my article because we didn't want our business to get in the way of the open source initiative. We believe in Tim O'Reilly's guidance "Create More Value Than You Capture".
[+] [-] ecopoesis|12 years ago|reply
[+] [-] patrickaljord|12 years ago|reply
[+] [-] udfalkso|12 years ago|reply
[+] [-] sintaxi|12 years ago|reply
http://spec.harp.io/
I think the big challenge will be with the languages themselves. LESS, Stylus, CoffeeScript, and Jade are all implemented in JavaScript. Finding C implementations would be tough. Though SASS has a C implementation.
[+] [-] adduc|12 years ago|reply
[1]: https://github.com/chaoslawful/lua-nginx-module
[+] [-] rschmitty|12 years ago|reply
[+] [-] jorgepedret|12 years ago|reply
[+] [-] calgaryeng|12 years ago|reply
[+] [-] laktek|12 years ago|reply
Actually, this is where I tried to go with Punch(http://laktek.github.com/punch) too. Vast majority of the content in web can essentially be static, it's just the minor inconveniences of plugging data sources, updating and managing them is what should be addressed.
[+] [-] jdkanani|12 years ago|reply
[+] [-] pyotrgalois|12 years ago|reply
[+] [-] balupton|12 years ago|reply
I find it hard to understand why one would use this over DocPad... Can someone fill me in, I'm curious to know what the interest is about in case I'm missing something!