setcap (trying to use port 443) not appearing to work with Crossbar.io
178 views
Skip to first unread message
Dave Barndt
Dec 17, 2014, 11:36:00 AM12/17/14
to autob...@googlegroups.com
Hi,
I've got a Crossbar.io app that runs fine when listening on a non-privileged port; I'm now trying to get Crossbar.io to listen on the privileged secure HTTP port 443.
All I did was:
- Change the port in the transports/web/endpoint/port to 443 in config.json.
- Did a setcap for the crossbar app according to the instructions at:
I'm running under CPython, so no PyPy (at least for now). Here's the output, running simply under my non-privileged user on debian:
$ which crossbar
/usr/local/bin/crossbar
$ getcap `which crossbar`
/usr/local/bin/crossbar = cap_net_bind_service+ep
$ crossbar start
2014-12-17 11:28:16-0500 [Controller 7282] Log opened.
2014-12-17 11:28:16-0500 [Controller 7282] ============================== Crossbar.io ==============================
2014-12-17 11:28:16-0500 [Controller 7282] Crossbar.io 0.9.12 starting
2014-12-17 11:28:16-0500 [Controller 7282] Running on CPython using EPollReactor reactor
2014-12-17 11:28:16-0500 [Controller 7282] Starting from node directory xxx/.crossbar
2014-12-17 11:28:16-0500 [Controller 7282] Starting from local configuration 'xxx/.crossbar/config.json'
2014-12-17 11:28:16-0500 [Controller 7282] Warning, could not set process title (setproctitle not installed)
2014-12-17 11:28:16-0500 [Controller 7282] Warning: process utilities not available
2014-12-17 11:28:16-0500 [Controller 7282] No WAMPlets detected in enviroment.
2014-12-17 11:28:16-0500 [Controller 7282] Starting Router with ID 'worker1' ..
2014-12-17 11:28:16-0500 [Controller 7282] Entering reactor event loop ...
2014-12-17 11:28:17-0500 [Router 7285] Log opened.
2014-12-17 11:28:17-0500 [Router 7285] Warning: could not set worker process title (setproctitle not installed)
2014-12-17 11:28:17-0500 [Router 7285] Running under CPython using EPollReactor reactor
2014-12-17 11:28:17-0500 [Router 7285] Entering event loop ..
2014-12-17 11:28:17-0500 [Router 7285] Warning: process utilities not available
2014-12-17 11:28:17-0500 [Controller 7282] Router with ID 'worker1' and PID 7285 started
2014-12-17 11:28:17-0500 [Controller 7282] Router 'worker1': PYTHONPATH extended
2014-12-17 11:28:17-0500 [Controller 7282] Router 'worker1': realm 'realm1' started
2014-12-17 11:28:17-0500 [Controller 7282] Router 'worker1': role 'role1' started on realm 'realm1'
2014-12-17 11:28:17-0500 [Controller 7282] Router 'worker1': role 'role2' started on realm 'realm1'
2014-12-17 11:28:17-0500 [Controller 7282] Router 'worker1': role 'role3' started on realm 'realm1'
2014-12-17 11:28:17-0500 [Controller 7282] Router 'worker1': role 'role4' started on realm 'realm1'
2014-12-17 11:28:17-0500 [Controller 7282] Router 'worker1': component 'component1' started
2014-12-17 11:28:17-0500 [Controller 7282] Router 'worker1': component 'component2' started
2014-12-17 11:28:17-0500 [Router 7285] enabling WebSocket compression (permessage-deflate)
2014-12-17 11:28:17-0500 [Router 7285] Using default cipher list.
2014-12-17 11:28:17-0500 [Router 7285] Ok, OpenSSL Diffie-Hellman ciphers parameter file loaded.
2014-12-17 11:28:17-0500 [Router 7285] Warning: OpenSSL failed to set ECDH default curve ['module' object has no attribute 'get_elliptic_curve']
2014-12-17 11:28:17-0500 [Router 7285] ERROR: cannot listen on transport endpoint (Couldn't listen on any:443: [Errno 13] Permission denied.)
2014-12-17 11:28:17-0500 [Controller 7282] Traceback (most recent call last):
2014-12-17 11:28:17-0500 [Controller 7282] File "/usr/local/lib/python2.7/dist-packages/crossbar/controller/node.py", line 190, in run_node_config
2014-12-17 11:28:17-0500 [Controller 7282] yield self._run_node_config(config)
2014-12-17 11:28:17-0500 [Controller 7282] ApplicationError: ApplicationError('crossbar.error.cannot_listen', args = (u"ERROR: cannot listen on transport endpoint (Couldn't listen on any:443: [Errno 13] Permission denied.)",), kwargs = {})
2014-12-17 11:28:17-0500 [Controller 7282] Main loop terminated.
I've seen other recommendations to do port forwarding, which I may do if I can't get this to work. Any ideas?
Thanks for any help!
Dave
Tobias Oberstein
Dec 17, 2014, 12:21:48 PM12/17/14
to autob...@googlegroups.com
Am 17.12.2014 17:36, schrieb Dave Barndt:
> Hi,
>
> I've got a Crossbar.io app that runs fine when listening on a
> non-privileged port; I'm now trying to get Crossbar.io to listen on the
> privileged secure HTTP port 443.
>
> All I did was:
> - Change the port in the transports/web/endpoint/port to 443 in config.json.
> - Did a setcap for the crossbar app according to the instructions at:
> https://github.com/crossbario/crossbar/wiki/Running-on-privileged-ports
>
> I'm running under CPython, so no PyPy (at least for now). Here's the
> output, running simply under my non-privileged user on debian:
>
> $ which crossbar
> /usr/local/bin/crossbar
> $ getcap `which crossbar`
> /usr/local/bin/crossbar = cap_net_bind_service+ep
> $ crossbar start
Did you set the caps on both the "crossbar" _and_ Python executables?
> Hi,
>
> I've got a Crossbar.io app that runs fine when listening on a
> non-privileged port; I'm now trying to get Crossbar.io to listen on the
> privileged secure HTTP port 443.
>
> All I did was:
> - Change the port in the transports/web/endpoint/port to 443 in config.json.
> - Did a setcap for the crossbar app according to the instructions at:
> https://github.com/crossbario/crossbar/wiki/Running-on-privileged-ports
>
> I'm running under CPython, so no PyPy (at least for now). Here's the
> output, running simply under my non-privileged user on debian:
>
> $ which crossbar
> /usr/local/bin/crossbar
> $ getcap `which crossbar`
> /usr/local/bin/crossbar = cap_net_bind_service+ep
> $ crossbar start
Dave Barndt
Dec 17, 2014, 2:50:34 PM12/17/14
to autob...@googlegroups.com
Ah, there was the confusion. The example on the site mentioned PyPy and so I had thought there was something unique to PyPy (as opposed to CPython) so I thought only PyPy needed to be setcap'd as well. My bad!
So, thanks, that got me past the port issue... unfortunately now I've discovered I can't alter the PYTHONPATH or LD_LIBRARY_PATH env variables in the shell script in which the setcap'd Crossbar/Python executable runs.
http://stackoverflow.com/questions/9843178/linux-capabilities-setcap-seems-to-disable-ld-library-path
(This is only for running non-production, since for production all shared objects will be in /usr/local -type areas.)
(This is only for running non-production, since for production all shared objects will be in /usr/local -type areas.)
Nevertheless, I'm seriously considering the alternative approach of port forwarding 443 to a non-priv port - seems like less hassle and less playing with system privs, since this is the only app wanting to run on secure HTTP/WS port 443. Although I'm all ears if anyone knows any pitfalls to this approach...
Thanks,
Dave
Tobias Oberstein
Dec 18, 2014, 1:06:17 AM12/18/14
to autob...@googlegroups.com
Am 17.12.2014 20:50, schrieb Dave Barndt:
> Ah, there was the confusion. The example on the site mentioned PyPy and
> so I had thought there was something unique to PyPy (as opposed to
> CPython) so I thought only PyPy needed to be setcap'd as well. My bad!
>
> So, thanks, that got me past the port issue... unfortunately now I've
> discovered I can't alter the PYTHONPATH or LD_LIBRARY_PATH env variables
> in the shell script in which the setcap'd Crossbar/Python executable runs.
>
> http://stackoverflow.com/questions/9843178/linux-capabilities-setcap-seems-to-disable-ld-library-path
Yes, this is braindead, but Linux specific. There are other ways to
> Ah, there was the confusion. The example on the site mentioned PyPy and
> so I had thought there was something unique to PyPy (as opposed to
> CPython) so I thought only PyPy needed to be setcap'd as well. My bad!
>
> So, thanks, that got me past the port issue... unfortunately now I've
> discovered I can't alter the PYTHONPATH or LD_LIBRARY_PATH env variables
> in the shell script in which the setcap'd Crossbar/Python executable runs.
>
> http://stackoverflow.com/questions/9843178/linux-capabilities-setcap-seems-to-disable-ld-library-path
approach the issue (port <1024 daemons) on Linux ..
>
> (This is only for running non-production, since for production all
> shared objects will be in /usr/local -type areas.)
>
> Nevertheless, I'm seriously considering the alternative approach of port
> forwarding 443 to a non-priv port - seems like less hassle and less
> playing with system privs, since this is the only app wanting to run on
> secure HTTP/WS port 443. Although I'm all ears if anyone knows any
> pitfalls to this approach...
static Web content is a valid option. Use a capable one, like Nginx (not
Apache or crap).
/Tobias
> You received this message because you are subscribed to the Google
> Groups "Autobahn" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to autobahnws+...@googlegroups.com
> <mailto:autobahnws+...@googlegroups.com>.
> To post to this group, send email to autob...@googlegroups.com
> <mailto:autob...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/autobahnws/3b477056-93a9-4c34-8dff-feee4e5283dc%40googlegroups.com
> <https://groups.google.com/d/msgid/autobahnws/3b477056-93a9-4c34-8dff-feee4e5283dc%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Dave Barndt
Dec 21, 2014, 10:54:33 PM12/21/14
to autob...@googlegroups.com
Hi Tobias,
Just FYI - I wound up using the Linux socat utility to forward port 443 traffic to port 8443. Worked the very first time!
# socat tcp-listen:443,fork,reuseaddr tcp:localhost:8443
Dave
Reply all
Reply to author
Forward
0 new messages