Date: Wed, 04 Jan 2012 11:42:29 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: best way to bind webserver to port 80 without running as root Message-ID: <4F043B25.3010206@infracaninophile.co.uk> In-Reply-To: <1325671801.19145.YahooMailNeo@web113620.mail.gq1.yahoo.com> References: <1325671801.19145.YahooMailNeo@web113620.mail.gq1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB8B45E2470C82AF34202F694
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 04/01/2012 10:10, Dino Vliet wrote:
> suddenly I'm facing this quest on freebsd 8. I need to bind my little
> webserver running aolserver to port 80. In the past I was always
> using port 8080 and had my router configured to forward requests on
> port 80 to the server on port 8080. However, I am planning to host my
> little site on a virtual server with a hosting company and figuredI
> can't use the workaround I always used. So my question is, how to
> bind aolserver to port 80 without running as root as I understood
> ports below 1024 can only be used by root. I found a sysctl
> net.inet.ip.portrange.reservedhigh which enables me to set it to 0.
> However, I don't know what the security ramifications are of using
> that. Are there any other options I could consider?
There are lots of ways to do this. The hard part is deciding which one
is most appropriate. Lets see...
* Allow non-root to bind to port 80
Yes, this does have security implications, but they may not be
relevant in your situation. If you can guarantee that any
non-root process on your system is as trustworthy as a root owned
process then it should be OK. Meaning you don't have any other
users and the system is secured against code injection attacks,
etc.
Probably the hardest to get right, and not really anything I'd
recommend.
* Use one of the built-in firewalls to do port redirection.
Similarly to the way you were using your router previously.
So, for example in pf(4) you could do something like this:
rdr pass inet proto tcp from any to $ext_if port 80
-> 127.0.0.1 port 8080
Arrange for your aolserver instance to bind to the loopback
interface port 8080 and you're all set. You can use ipfw(8)
to the same effect if preferred. Note: this probably won't
work if your virtual server is a jail, as in that case (a) you
won't have a loopback interface you can use like that and (b)
firewall rules would have to be setup in the host environment,
not the jail.
* Use a proxy server bound to port 80, that internally redirects
queries to your aolserver on port 8080. You can just do a direct
proxy using eg. pound or apache or nginx or lighttpd so that
every request is simply forwarded to the aolserver on port 80.
Or you can get clever and
-- serve static content (eg images, CSS etc.) by type directly
from the proxy webserver. This relieves your heavyweight
app-server from dealing with all the trivial stuff and is
much more efficient.
-- Use the reverse proxy for SSL offload, if you're using
HTTPS. This can both simplify the configuration of your
app server and provide a performance boost for some sites.
-- Implement a reverse proxy /cache/. Instead of going back
to the origin server and regenerating each page every time
anyone asks for it, cache a copy of the response the last
time that page was requested and reply with that. apache
has a reasonably good proxy module, but consider also such
packages as squid or varnish which are specifically
written to do this. Done right, this can make a huge
difference to webserver performance.
Note: if you implement a reverse proxy cache, generally you don't need
to also implement the dispatching requests by type thing as well.
Static content should have a long TTL and be preferentially served out
of the cache thus achieving the same effect automatically.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enigB8B45E2470C82AF34202F694
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8EOy4ACgkQ8Mjk52CukIwiigCfULx+Gwgv7/gMfYHD/cuSwb8U
dLgAn2esrqH7Drp67YGAGvvlySp3bhgt
=nfhN
-----END PGP SIGNATURE-----
--------------enigB8B45E2470C82AF34202F694--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F043B25.3010206>