| Linode Forum https://forum.linode.com/ |
|
| Binding to port 80 on an account without sudo rights https://forum.linode.com/viewtopic.php?f=19&t=8534 |
Page 1 of 1 |
| Author: | tommedema [ Tue Mar 06, 2012 1:36 pm ] |
| Post subject: | Binding to port 80 on an account without sudo rights |
Hi folks, I'm using Node.js as my webserver. I'd like to launch my application from a user account that has not been added to the sudoers file. As such, I need to bind to port 80 without becoming root. The best method I've heard of so far is to create an iptables rule that forwards all traffic from port 80 to port 8080 (or whatever port), and then actually bind to that port instead of 80. Has anyone done this on a linode? What iptables command did you use, and how did you save this configuration (I had troubles doing this)? Finally, do you think this may reduce performance in some way, or do you know of a better way to bind to port 80? Any feedback is highly appreciated. |
|
| Author: | Guspaz [ Tue Mar 06, 2012 1:41 pm ] |
| Post subject: | |
The correct approach is to run it as root and have the web server drop down to an unprivileged user once it binds the port. That's what everything else like Apache or nginx do. It's possible to do it with node.js too, although in this case you're actually implementing the behaviour: http://onteria.wordpress.com/2011/05/31 ... n-node-js/ |
|
| Author: | tommedema [ Tue Mar 06, 2012 1:46 pm ] |
| Post subject: | |
I used to do that, but why would that be better? I would prefer to run the application without having any kind of admin rights. |
|
| Author: | obs [ Tue Mar 06, 2012 2:00 pm ] |
| Post subject: | |
I tend to pop nginx in front and have that proxy back to node on a high port, it allows nginx to serve static files, perform access logging etc etc and doesn't require node to run as root and drop it's privileges. |
|
| Author: | vickd [ Tue Mar 06, 2012 2:22 pm ] |
| Post subject: | |
Can't comment on its suitability, but to redirect port 80 to 8080 - iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 |
|
| Author: | tommedema [ Wed Mar 07, 2012 4:50 pm ] |
| Post subject: | |
vickd wrote: Can't comment on its suitability, but to redirect port 80 to 8080 -
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 That is great, though I would like to hear from someone about its suitability. It seems great to me, as long as it doesn't degrade performance. Do you happen to know how to properly save such new iptables configuration? I have seen numerous commands, such as "sudo service iptables save", but this gives a "iptables service does not exist". Thanks a lot. |
|
| Author: | vickd [ Wed Mar 07, 2012 6:13 pm ] |
| Post subject: | |
It depends on your distro. For Ubuntu I do it this way: save the rules by doing: Code: iptables-save >/etc/iptables.rules edit /etc/network/interfaces to include 'pre-up' commands to restore the rules before the interface is started. Code: # The primary network interface ip6tables does the same job for ipv6. Use ip6tables-save to create that rule file. |
|
| Author: | Kint [ Wed Mar 07, 2012 7:47 pm ] |
| Post subject: | |
obs wrote: I tend to pop nginx in front and have that proxy back to node on a high port, it allows nginx to serve static files, perform access logging etc etc and doesn't require node to run as root and drop it's privileges.
+1 |
|
| Author: | tommedema [ Fri Mar 16, 2012 4:27 pm ] |
| Post subject: | |
vickd wrote: Can't comment on its suitability, but to redirect port 80 to 8080 -
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 Do you know if its possible to do this with UFW as well? |
|
| Author: | vickd [ Fri Mar 16, 2012 8:00 pm ] |
| Post subject: | |
Looks very similar to iptables. http://serverfault.com/questions/238563/can-i-use-ufw-to-setup-a-port-forward |
|
| Author: | jebblue [ Sat Mar 17, 2012 12:19 pm ] |
| Post subject: | |
Kint wrote: obs wrote: I tend to pop nginx in front and have that proxy back to node on a high port, it allows nginx to serve static files, perform access logging etc etc and doesn't require node to run as root and drop it's privileges. +1 +1 I use Apache but same thing. ProxyPass and ProxyPassReverse. |
|
| Author: | James Bellinger [ Tue Jun 05, 2012 11:44 am ] |
| Post subject: | |
There is a program called authbind that could be of some use to you. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|