Net::HTTPServer provides a lite HTTP server. It can serve files, or can be configured to call Perl functions when a URL is accessed.


Net::HTTPServer basically turns a CGI script into a stand alone server. Useful for temporary services, mobile/local servers, or embedding an HTTP server into another program.


    use Net::HTTPServer;

    my $server = new Net::HTTPServer(port=>5000,


    $server->Process();  # Run forever


        $server->Process(5);  # Run for 5 seconds
        # Do something else...




Given a config hash, return a server object that you can start, process, and stop. The config hash takes the options:

    chroot => 0|1       - Run the server behind a virtual chroot().
                          Since only root can actually call chroot,
                          a URL munger is provided that will not
                          allow URLs to go beyond the document root
                          if this is specified.
                          ( Default: 1 )

    datadir => string   - Path on the filesystem where you want to
                          store the server side session files.
                          ( Deault: "/tmp/nethttpserver.sessions" )

    docroot => string   - Path on the filesystem that you want to be
                          the document root "/" for the server.  If
                          set to undef, then the server will not serve
                          any files off the local filesystem, but will
                          still serve callbacks.
                          ( Default: undef )

    index => list       - Specify a list of file names to use as the
                          the index file when a directory is requested.
                          ( Default: ["index.html","index.htm"] )

    log => string       - Path to store the log at.  If you set this to
                          "STDOUT" then it will display to STDOUT.
                          ( Default: access.log )

    mimetypes => string - Path to an alternate mime.types file.
                          ( Default: included in release )

    numproc => int      - When type is set to "forking", this tells the
                          server how many child processes to keep
                          running at all times.
                          ( Default: 5 )

    oldrequests => 0|1  - With the new request objects, old programs
                          will not work.  To postpone updating your
                          code, just set this to 1 and your programs
                          should work again.
                          ( Default: 0 )
    port => int         - Port number to use.  You can optionally
                          specify the string "scan", and the server
                          will loop through ports until it finds one
                          it can listen on.  This port is then returned
                          by the Start() method.
                          ( Default: 9000 )

    sessions => 0|1     - Enable/disable server side session support.
                          ( Default: 0 )
    ssl => 0|1          - Run a secure server using SSL.  You must
                          specify ssl_key, ssl_cert, and ssl_ca if
                          set this to 1.
                          ( Default: 0 )

    ssl_ca => string    - Path to the SSL ca file.
                          ( Default: undef )

    ssl_cert => string  - Path to the SSL cert file.
                          ( Default: undef )

    ssl_key => string   - Path to the SSL key file.
                          ( Default: undef )

    type => string      - What kind of server to create?  Available
                          types are:
                            single  - single process/no forking
                            forking - preforking server
                          (Default: "single")


Adds one or more tokens onto the Server header line that the server sends back in a response. The list is seperated by a ; to distinguish the various tokens from each other.


This would result in the following header being sent in a response:

HTTP/1.1 200 Server: Net::HTTPServer/0.9 test/1.3 Content-Type: text/html ...


Listens for incoming requests and responds back to them. This function will block, unless a timeout is specified, then it will block for that number of seconds before returning. Useful for embedding this into other programs and still letting the other program get some CPU time.


Protect the URL using the Authentication method provided. The supported methods are: "Basic" and "Digest".

When a URL with a path component that matchs the specified URL is requested the server requests that the client perform the specified of authentication for the given realm. When the URL is accessed the second time, the client provides the authentication pieces and the server parses the pieces and using the return value from the specified function answers the request. The function is called with the username and the URL they are trying to access. It is required that the function return a two item list with a return code and the users's password.

The valid return codes are:

  200   The user exists and is allowed to access
        this URL.  Return the password.
        return( "200", password )

  401   The user does not exist.  Obviously you
        do not have to return a password in this
        return( "401" )

  403   The user is forbidden to access this URL.
        (You must still return the password because
        if the user did not auth, then we do not want
        to tip off the bad people that this username
        is valid.)
        return( "403", password )

The reasoning for having the function return the password is that Digest authentication is just complicated enough that asking you to write part of logic would be considered rude. By just having you give the server the password we can keep the whole Auth interface simple.

Here is an example:


  sub testBasic
      my $url = shift;
      my $user = shift;

      my $password = &lookupPassword($user);
      return("401","") unless defined($password);
      if (($url eq "/foo/") && ($user eq "dr_evil"))
          return ("403",$password);

      return ("200",$password);

  sub lookupPassword
      my $user = shift;

      my %passwd;
      $passwd{larry}   = "wall";
      $passwd{dr_evil} = "1million";

      return unless exists($passwd{$user});
      return $passwd{$user};

Start a server with that, and the following RegisterURL example, and point your browser to:


You should be prompted for a userid and password, entering "larry" and "wall" will allow you to see the page. Entering "dr_evil" and "1million" should result in getting a Forbidden page (and likely needing to restart your browser). Entering any other userid or password should result in you being asked again.

If you have a handler for both RegisterURL and RegisterAuth, then your function for RegisterURL can find the identify of the user in the $env->{'REMOTE_USER'} hash entry. This is similar to CGI scripts.

You can have multiple handlers for different URLs. If you do this, then the longest complete URL handler will be called. For example, if you have handlers for /foo/ and /foo, and a URL of /foo/ is called, then the handler /foo/ is called to authorize this request, but if a URL of /foo/bar.html is called, then the handler /foo is called.

Only complete directories are matched, so if you had a handler for /foo/bar, then it would not be called for either /foo/ or /foo/bar.html.


Register the function with the provided regular expression. When a URL that matches that regular expression is requested, the function is called and passed the environment (GET+POST) so that it can do something meaningfiul with them. For more information on how the function is called and should be used see the section on RegisterURL below.


This will match any URL that ends in ".news" and call the &news function. The URL that the user request can be retrieved via the Request object ($reg->Path()).

RegisterRegex(hash ref)

Instead of calling RegisterRegex a bunch of times, you can just pass it a hash ref containing Regex/callback pairs.

                           ".*.news$" => \&news,
                           ".*.foo$" => \&foo,


Register the function with the provided URL. When that URL is requested, the function is called and passed in the environment (GET+POST) so that it can do something meaningful with them. A simple handler looks like:


  sub test
      my $req = shift;             # Net::HTTPServer::Request object
      my $res = $req->Response();  # Net::HTTPServer::Response object

      $res->Print("  <head>\n");
      $res->Print("    <title>This is a test</title>\n");
      $res->Print("  </head>\n");
      $res->Print("  <body>\n");
      $res->Print("    <pre>\n");

      foreach my $var (keys(%{$req->Env()}))
          $res->Print("$var -> ".$req->Env($var)."\n");
      $res->Print("    </pre>\n");
      $res->Print("  </body>\n");

      return $res;

Start a server with that and point your browser to:


You should see a page titled "This is a test" with this body:

  test -> bing
  test2 -> bong

RegisterURL(hash ref)

Instead of calling RegisterURL a bunch of times, you can just pass it a hash ref containing URL/callback pairs.

                         "/foo/" => \&test1,
                         "/foo/" => \&test2,

See RegisterURL() above for more information on how callbacks work.


Starts the server based on the config options passed to new(). Returns the port number the server is listening on, or undef if the server was unable to start.


Shuts down the socket connection and cleans up after itself.


Net::HTTPServer provides support for server-side sessions much like PHP's session model. A handler that you register can ask that the request object start a new session. It will check a cookie value to see if an existing session exists, if not it will create a new one with a unique key.

You can store any arbitrary Perl data structures in the session. The next time the user accesses your handler, you can restore those values and have them available again. When you are done, simple destroy the session.


Net::HTTPServer sets a few headers automatically. Due to the timing of events, you cannot get to those headers programatically, so we will discuss them general.

Obviously for file serving, errors, and authentication it sends back all of the appropriate headers. You likely do not need to worry about those cases. In RegisterURL mode though, here are the headers that are added:

   Accept-Ranges: none                    (not supported)
   Content-Length: <length of response>
   Connection: close                      (not supported)
   Content-Type: text/html                (unless you set it)
   Date: <current time>
   Server: <version of Net::HTTPServer
            plus what you add using the
            AddServerTokens method>

If you have any other questions about what is being sent, try using DEBUG (later section).


When you are writing your application you might see behavior that is unexpected. I've found it useful to check some debugging statements that I have in the module to see what it is doing. If you want to turn debugging on simply provide the debug => [ zones ] option when creating the server. You can optionally specify a file to write the log into instead of STDOUT by specifying the debuglog => file option.

I've coded the modules debugging using the concept of zones. Each zone (or task) has it's own debug messages and you can enable/disable them as you want to. Here are the list of available zones:

  INIT - Initializing the sever
  PROC - Processing a request
  REQ  - Parsing requests
  RESP - Returning the response (file contents are not printed)
  AUTH - Handling and authentication request
  FILE - Handling a file system request.
  READ - Low-level read
  SEND - Low-level send (even prints binary characters)
  ALL  - Turn all of the above on.

So as an example:

  my $server = new Net::HTTPServer(..., debug=>["REQ","RESP"],...);

That would show all requests and responses.


Ryan Eatmon


Copyright (c) 2003-2005 Ryan Eatmon <>. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.