From owner-freebsd-questions@FreeBSD.ORG Wed Jan 4 11:42:43 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8BAF1065670 for ; Wed, 4 Jan 2012 11:42:43 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 62EFC8FC15 for ; Wed, 4 Jan 2012 11:42:43 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q04BgcUn075205 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 4 Jan 2012 11:42:39 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.4.1 smtp.infracaninophile.co.uk q04BgcUn075205 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1325677359; bh=/ucuVf69VvP1NiEWukL7QobMReZh2W63v8rqe/u+T5Q=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc; b=xSCex/Eac+ynfw3/mI+WI8eTQDqnVnSzsicMfPJ7Z4W3h6KOJqqaiEzkA31sG5i1z WU64MnEYxvHR2pvuIlEi/1PLIA1UArpsHQcy+CCcQSiVmA8LONJzGcDwl5pmEAmdhQ me2NaKD4RgPLl++jp/yOX2NNBlB2gLydGR2o08Xw= Message-ID: <4F043B25.3010206@infracaninophile.co.uk> Date: Wed, 04 Jan 2012 11:42:29 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <1325671801.19145.YahooMailNeo@web113620.mail.gq1.yahoo.com> In-Reply-To: <1325671801.19145.YahooMailNeo@web113620.mail.gq1.yahoo.com> X-Enigmail-Version: 1.3.4 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigB8B45E2470C82AF34202F694" X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: best way to bind webserver to port 80 without running as root X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2012 11:42:44 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB8B45E2470C82AF34202F694 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04/01/2012 10:10, Dino Vliet wrote: > suddenly I'm facing this quest on freebsd 8. I need to bind my little > webserver running aolserver to port 80. In the past I was always > using port 8080 and had my router configured to forward requests on > port 80 to the server on port 8080. However, I am planning to host my > little site on a virtual server with a hosting company and figuredI > can't use the workaround I always used. So my question is, how to > bind aolserver to port 80 without running as root as I understood > ports below 1024 can only be used by root. I found a sysctl > net.inet.ip.portrange.reservedhigh which enables me to set it to 0. > However, I don't know what the security ramifications are of using > that. Are there any other options I could consider? There are lots of ways to do this. The hard part is deciding which one is most appropriate. Lets see... * Allow non-root to bind to port 80 Yes, this does have security implications, but they may not be relevant in your situation. If you can guarantee that any non-root process on your system is as trustworthy as a root owned process then it should be OK. Meaning you don't have any other users and the system is secured against code injection attacks, etc. Probably the hardest to get right, and not really anything I'd recommend. * Use one of the built-in firewalls to do port redirection. Similarly to the way you were using your router previously. So, for example in pf(4) you could do something like this: rdr pass inet proto tcp from any to $ext_if port 80 -> 127.0.0.1 port 8080 Arrange for your aolserver instance to bind to the loopback interface port 8080 and you're all set. You can use ipfw(8) to the same effect if preferred. Note: this probably won't work if your virtual server is a jail, as in that case (a) you won't have a loopback interface you can use like that and (b) firewall rules would have to be setup in the host environment, not the jail. * Use a proxy server bound to port 80, that internally redirects queries to your aolserver on port 8080. You can just do a direct proxy using eg. pound or apache or nginx or lighttpd so that every request is simply forwarded to the aolserver on port 80. Or you can get clever and -- serve static content (eg images, CSS etc.) by type directly from the proxy webserver. This relieves your heavyweight app-server from dealing with all the trivial stuff and is much more efficient. -- Use the reverse proxy for SSL offload, if you're using HTTPS. This can both simplify the configuration of your app server and provide a performance boost for some sites. -- Implement a reverse proxy /cache/. Instead of going back to the origin server and regenerating each page every time anyone asks for it, cache a copy of the response the last time that page was requested and reply with that. apache has a reasonably good proxy module, but consider also such packages as squid or varnish which are specifically written to do this. Done right, this can make a huge difference to webserver performance. Note: if you implement a reverse proxy cache, generally you don't need to also implement the dispatching requests by type thing as well. Static content should have a long TTL and be preferentially served out of the cache thus achieving the same effect automatically. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigB8B45E2470C82AF34202F694 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8EOy4ACgkQ8Mjk52CukIwiigCfULx+Gwgv7/gMfYHD/cuSwb8U dLgAn2esrqH7Drp67YGAGvvlySp3bhgt =nfhN -----END PGP SIGNATURE----- --------------enigB8B45E2470C82AF34202F694--