Using OpenBSD for example, we have a task to serve static html files, no php/cgi/etc.
Q: What would be more secure? Using a default apache/nginx -OR- using (KISS principle) a chrooted www server that is just one lines long? Example:
python -m SimpleHTTPServer
p.s.: anybody know a more secure solution then the python's one (or with ex: HTTPS support)?
All other things being equal, simplicity is good for security. But let's not reverse the paradigm. Software is secure because it is maintained. Complex software is harder to maintain, but, on the other hand, Apache and Nginx have a huge market share, are very active project, and thus benefit from about the best level of maintenance that can be hoped for. Python's SimpleHTTPServer cannot (yet) boast as much. Therefore, while SimpleHTTPServer is certainly easier to maintain for security issues, and has less room for nasty bugs, it is unclear whether it really is "more secure" than Apache and Nginx.
Another facet of the issue is system administration: even the most secure and maintained software can fail if the sysadmin does not do his job properly; and anything custom, not-mainstream, makes the sysadmin job harder. So using an alternate HTTP server is all fine and dandy as long as the sysadmin masters its fine configuration issues and details. Said otherwise, if the local sysadmin is a god of Apache, then let him use Apache; that's what will be most secure in practice.
http://unix4lyfe.org/darkhttpd/ (no HTTPS)
Also, custom compile of Nginx with no optional components, except for SSL, is also a very minimal server.
Python SimpleHTTPServer source code is not 1 line long, you simply call it with one line.
