/ 
Mojolicious-9.42
River stage four • 1019 direct dependents • 1130 total dependents
⭐ Starred 2674 GitHub stars
/ Mojo::Server::Daemon
Security Advisories (2)
CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

CVE-2024-58135 (2025-05-03)

Mojolicious versions from 7.28 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

NAME

Mojo::Server::Daemon - Non-blocking I/O HTTP and WebSocket server

SYNOPSIS

use Mojo::Server::Daemon;

my $daemon = Mojo::Server::Daemon->new(listen => ['http://*:8080']);
$daemon->unsubscribe('request')->on(request => sub ($daemon, $tx) {

  # Request
  my $method = $tx->req->method;
  my $path   = $tx->req->url->path;

  # Response
  $tx->res->code(200);
  $tx->res->headers->content_type('text/plain');
  $tx->res->body("$method request for $path!");

  # Resume transaction
  $tx->resume;
});
$daemon->run;

DESCRIPTION

Mojo::Server::Daemon is a full featured, highly portable non-blocking I/O HTTP and WebSocket server, with IPv6, TLS, SNI, Comet (long polling), keep-alive and multiple event loop support.

For better scalability (epoll, kqueue) and to provide non-blocking name resolution, SOCKS5 as well as TLS support, the optional modules EV (4.32+), Net::DNS::Native (0.15+), IO::Socket::Socks (0.64+) and IO::Socket::SSL (2.009+) will be used automatically if possible. Individual features can also be disabled with the MOJO_NO_NNR, MOJO_NO_SOCKS and MOJO_NO_TLS environment variables.

See "DEPLOYMENT" in Mojolicious::Guides::Cookbook for more.

SIGNALS

The Mojo::Server::Daemon process can be controlled at runtime with the following signals.

INT, TERM

Shut down server immediately.

EVENTS

Mojo::Server::Daemon inherits all events from Mojo::Server.

ATTRIBUTES

Mojo::Server::Daemon inherits all attributes from Mojo::Server and implements the following new ones.

acceptors

my $acceptors = $daemon->acceptors;
$daemon       = $daemon->acceptors(['6be0c140ef00a389c5d039536b56d139']);

Active acceptor ids.

# Check port
mu $port = $daemon->ioloop->acceptor($daemon->acceptors->[0])->port;

backlog

my $backlog = $daemon->backlog;
$daemon     = $daemon->backlog(128);

Listen backlog size, defaults to SOMAXCONN.

inactivity_timeout

my $timeout = $daemon->inactivity_timeout;
$daemon     = $daemon->inactivity_timeout(5);

Maximum amount of time in seconds a connection with an active request can be inactive before getting closed, defaults to the value of the MOJO_INACTIVITY_TIMEOUT environment variable or 30. Setting the value to 0 will allow connections to be inactive indefinitely.

ioloop

my $loop = $daemon->ioloop;
$daemon  = $daemon->ioloop(Mojo::IOLoop->new);

Event loop object to use for I/O operations, defaults to the global Mojo::IOLoop singleton.

keep_alive_timeout

my $timeout = $daemon->keep_alive_timeout;
$daemon     = $daemon->keep_alive_timeout(10);

Maximum amount of time in seconds a connection without an active request can be inactive before getting closed, defaults to the value of the MOJO_KEEP_ALIVE_TIMEOUT environment variable or 5. Setting the value to 0 will allow connections to be inactive indefinitely.

listen

my $listen = $daemon->listen;
$daemon    = $daemon->listen(['https://127.0.0.1:8080']);

Array reference with one or more locations to listen on, defaults to the value of the MOJO_LISTEN environment variable or http://*:3000 (shortcut for http://0.0.0.0:3000).

# Listen on all IPv4 interfaces
$daemon->listen(['http://*:3000']);

# Listen on all IPv4 and IPv6 interfaces
$daemon->listen(['http://[::]:3000']);

# Listen on IPv6 interface
$daemon->listen(['http://[::1]:4000']);

# Listen on IPv4 and IPv6 interfaces
$daemon->listen(['http://127.0.0.1:3000', 'http://[::1]:3000']);

# Listen on UNIX domain socket "/tmp/myapp.sock" (percent encoded slash)
$daemon->listen(['http+unix://%2Ftmp%2Fmyapp.sock']);

# File descriptor, as used by systemd
$daemon->listen(['http://127.0.0.1?fd=3']);

# Allow multiple servers to use the same port (SO_REUSEPORT)
$daemon->listen(['http://*:8080?reuse=1']);

# Listen on two ports with HTTP and HTTPS at the same time
$daemon->listen(['http://*:3000', 'https://*:4000']);

# Use a custom certificate and key
$daemon->listen(['https://*:3000?cert=/x/server.crt&key=/y/server.key']);

# Domain specific certificates and keys (SNI)
$daemon->listen(
  ['https://*:3000?example.com_cert=/x/my.crt&example.com_key=/y/my.key']);

# Or even a custom certificate authority
$daemon->listen(
  ['https://*:3000?cert=/x/server.crt&key=/y/server.key&ca=/z/ca.crt']);

These parameters are currently available:

ca
ca=/etc/tls/ca.crt

Path to TLS certificate authority file used to verify the peer certificate.

cert
cert=/etc/tls/server.crt
mojolicious.org_cert=/etc/tls/mojo.crt

Path to the TLS cert file, defaults to a built-in test certificate.

ciphers
ciphers=AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

TLS cipher specification string. For more information about the format see https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-STRINGS.

fd
fd=3

File descriptor with an already prepared listen socket.

key
key=/etc/tls/server.key
mojolicious.org_key=/etc/tls/mojo.key

Path to the TLS key file, defaults to a built-in test key.

reuse
reuse=1

Allow multiple servers to use the same port with the SO_REUSEPORT socket option.

single_accept
single_accept=1

Only accept one connection at a time.

verify
verify=0x00

TLS verification mode.

version
version=TLSv1_2

TLS protocol version.

max_clients

my $max = $daemon->max_clients;
$daemon = $daemon->max_clients(100);

Maximum number of accepted connections this server is allowed to handle concurrently, before stopping to accept new incoming connections, passed along to "max_connections" in Mojo::IOLoop.

max_requests

my $max = $daemon->max_requests;
$daemon = $daemon->max_requests(250);

Maximum number of keep-alive requests per connection, defaults to 100.

silent

my $bool = $daemon->silent;
$daemon  = $daemon->silent($bool);

Disable console messages.

METHODS

Mojo::Server::Daemon inherits all methods from Mojo::Server and implements the following new ones.

ports

my $ports = $daemon->ports;

Get all ports this server is currently listening on.

# All ports
say for @{$daemon->ports};

run

$daemon->run;

Run server and wait for "SIGNALS".

start

$daemon = $daemon->start;

Start or resume accepting connections through "ioloop".

# Listen on random port
my $port = $daemon->listen(['http://127.0.0.1'])->start->ports->[0];

# Run multiple web servers concurrently
my $daemon1 = Mojo::Server::Daemon->new(listen => ['http://*:3000'])->start;
my $daemon2 = Mojo::Server::Daemon->new(listen => ['http://*:4000'])->start;
Mojo::IOLoop->start unless Mojo::IOLoop->is_running;

stop

$daemon = $daemon->stop;

Stop accepting connections through "ioloop".

DEBUGGING

You can set the MOJO_SERVER_DEBUG environment variable to get some advanced diagnostics information printed to STDERR.

MOJO_SERVER_DEBUG=1

SEE ALSO

Mojolicious, Mojolicious::Guides, https://mojolicious.org.