Run Daphne as non-root on low ports

[BR]

I'm running a simple Django/Channels website using Daphne. Traffic will be relatively low and will likely only see 1-2 clients at a time. I figured this would be a good use case for Daphne to serve both HTTPS and WebSockets.

Does Daphne have a mechanism for starting as root and dropping down to a non-root user after it is running? Root is required at startup because I want it to bind to port 80 or 443, and it needs to access the SSL certificate.

[Aldian Fazrihady]

Hi,  

I usually have SSL termination on nginx,  or CDN,  or Load Balancer. 

I never need to set SSL on Django or Daphne server.  Probably you could try this architecture. 

Regards, 

Aldian Fazrihady

On Thu, 2 May 2019, 20:32 BR, <rac...@gmail.com> wrote:

I'm running a simple Django/Channels website using Daphne. Traffic will be relatively low and will likely only see 1-2 clients at a time. I figured this would be a good use case for Daphne to serve both HTTPS and WebSockets.

Does Daphne have a mechanism for starting as root and dropping down to a non-root user after it is running? Root is required at startup because I want it to bind to port 80 or 443, and it needs to access the SSL certificate.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1015c96c-1a20-4372-9de3-3ca6d2347d98%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Andrew Godwin]

Daphne does not have uid-changing built in, no - it's too simplistic for that, unfortunately.

It's worth noting that systemd has this ability built in - it will listen on sockets for you and bind the socket to an application as needed. Otherwise, as the other poster noted, you can also use a reverse proxy to terminate SSL, which is what Daphne is built assuming (the SSL support in there is because it comes for free with Twisted, rather than being specifically added).

Andrew

On Thu, May 2, 2019 at 6:32 AM BR <rac...@gmail.com> wrote:

I'm running a simple Django/Channels website using Daphne. Traffic will be relatively low and will likely only see 1-2 clients at a time. I figured this would be a good use case for Daphne to serve both HTTPS and WebSockets.

Does Daphne have a mechanism for starting as root and dropping down to a non-root user after it is running? Root is required at startup because I want it to bind to port 80 or 443, and it needs to access the SSL certificate.

--

[BR]

Thanks for the feedback. I guess I was thinking that since Daphne is the "reference server" for ASGI, that it would have features available for production type use. I only came across WebSocket stuff yesterday so this is all quite new. I suppose my remaining issue is that SSL certificates seem to only (usually) accessible by root, so in any situation it seems that Daphne can only terminate SSL when running in root, unless permissions on the private key are changed.

I'm looking into the nginx reverse proxy with SSL termination at the moment.

[Andrew Godwin]

In this case "reference server" merely refers to it being the place where new features and specs are implemented and tested first, rather than being the best production-capable one. I would say uvicorn is probably the best ASGI server out there right now for performance.

Andrew

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/c3a5b984-d625-4fc4-a792-22d48cb4d3a8%40googlegroups.com.