Running node on port 80?
447 views
Skip to first unread message
Craig Coleman
Sep 27, 2014, 12:14:48 PM9/27/14
to nod...@googlegroups.com
I'd like to try running nodejs on port 80 on a debian and gentoo server
I've seen a lot post how people do this but I'd like to get some additional advice so I don't screw things up on our test servers.
I'm just getting started with node.
I have installed hapi
Thanks, cwc
var Hapi = require('hapi');
var server = new Hapi.Server(80);
server.route({
method: 'GET',
path: '/',
handler: function (request, reply) {
reply('Hello, world!');
}
});
server.route({
method: 'GET',
path: '/{name}',
handler: function (request, reply) {
reply('Hello, ' + encodeURIComponent(request.params.name) + '!');
}
});
server.start(function () {
console.log('Server running at:', server.info.uri);
});
Adam Reynolds
Sep 27, 2014, 5:12:41 PM9/27/14
to nod...@googlegroups.com
Is consider using iptables to forward port 80 traffic to your node instance.
--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
To post to this group, send email to nod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/feeda1ed-67bd-4259-8f9e-cf42e68e7876%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Matt
Sep 27, 2014, 7:19:58 PM9/27/14
to nod...@googlegroups.com
To run on port 80 you need to run as root, so it's best to drop privileges after setting up the listening port. You do this with process.setgid and process.setuid. See how Haraka does it here: https://github.com/baudehlo/Haraka/blob/master/server.js#L267
Though I highly recommend running a front end proxy like nginx instead. It's just easier and faster and gives you a bunch of easy to use features over making node the entire front end server.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CAFszCkOf8vg9-W6MH-Jiu1AZ5Z9T_kq9J_6tLDtWNqrVkEwuqA%40mail.gmail.com.
Ian Lawrence
Sep 27, 2014, 7:19:59 PM9/27/14
to nod...@googlegroups.com
Hi
I think port 80 that means you need to run as root.
Why not just run on default 127.0.0.1:3000 and then install nginx as a reverse proxy? Put this
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
}
into /etc/nginx/sites-enabled/default and restart nginx
Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CAFszCkOf8vg9-W6MH-Jiu1AZ5Z9T_kq9J_6tLDtWNqrVkEwuqA%40mail.gmail.com.
Ian Lawrence
Tel: (+55 48) 84933198
E-mail: i...@codezon.com
Web: http://ianlawrence.info
Code: https://github.com/IanLawrence
Author, Professional Ubuntu Mobile Development (Wiley 2009)
Paul
Sep 27, 2014, 11:21:53 PM9/27/14
to nod...@googlegroups.com
I'd recommend haproxy as a reverse proxy
nginx should be fine, but personally I prefer haproxy and it does a great job of proxying websockets too
Andrew Kelley
Sep 28, 2014, 4:39:40 PM9/28/14
to nod...@googlegroups.com
use authbind: http://www.debian-administration.org/articles/386
Leo Iannacone
Sep 28, 2014, 5:44:00 PM9/28/14
to nod...@googlegroups.com
On 28 September 2014 22:39, Andrew Kelley <super...@gmail.com> wrote:
> use authbind: http://www.debian-administration.org/articles/386
One of my services uses "http-proxy", listening on port :80, which
forwards the reqs to the others subdomains/nodejs-noroot-instances..
https://github.com/nodejitsu/node-http-proxy
> use authbind: http://www.debian-administration.org/articles/386
One of my services uses "http-proxy", listening on port :80, which
forwards the reqs to the others subdomains/nodejs-noroot-instances..
https://github.com/nodejitsu/node-http-proxy
Message has been deleted
Ben Noordhuis
Sep 29, 2014, 9:51:09 AM9/29/14
to nod...@googlegroups.com
binary. Run as root:
# setcap cap_net_bind_service=+ep $(readlink `which node`)
You can remove the capability again with -ep.
Alex
Sep 30, 2014, 3:47:48 AM9/30/14
to nod...@googlegroups.com
This is largely a systems administration question.
1. Use iptables to do a nat REDIRECT from port 80 to 8000.
############################################################ NAT table -- used to step down privileged ports, SSL redirection, and a couple other things*nat:PREROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]# HTTP rule--append PREROUTING --protocol tcp --dport 80 --jump REDIRECT --to-ports 8000
COMMIT
2. Run varnish or haproxy in a chroot jail, listening on port 8000. Varnish is not quite as fast as haproxy but it's still pretty fast, and you can setup caching with varnish too. Varnish can do load balancing ("directors") and is a little faster than nginx. I like VCL too (Varnish Configuration Language).
(Note: varnish's dlopen insists on running as root, even if you put it in chroot jail, but you can still lock things down inside the chroot jail.)
3. Run each webapp as non-root in a separate chroot jail. Bind your webapps to ports 8001, 8002, 8003, etc.
4. Block direct access to ports 8000-8999 in iptables, at least. (Of course, you should block access to any port that does not require public access)
5. Setup init scripts in the root system to ensure varnish and other servers start when the server reboots.
You could investigate using LXC (Linux Containers) too. I think it's a little easier than configuring chroot jails. They just hit 1.0 recently.
The disadvantage of a nat rule is that you are now dependent on your firewall not just for security, but your websites all go down if you stop the firewall (e.g., when you are debugging network issues).
The disadvantage of a nat rule is that you are now dependent on your firewall not just for security, but your websites all go down if you stop the firewall (e.g., when you are debugging network issues).
You can do HTTPS too. Create NAT rules from 443 to 8443, 8444, 8445 etc, routing each dedicated IP to a separate port, and setup virtual hosts in Apache or nginx that proxy to your webapps using port-based virtual host resolution.
Alex
Alex
henrique matias
Sep 30, 2014, 8:36:56 AM9/30/14
to nod...@googlegroups.com
As people said, haproxy or nginx can solve you loads of issues ( and bring you new ones as well haha )
In case you considering using iptables, maybe you might want to know about UFW
--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
To post to this group, send email to nod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/a34c6d92-11f2-492c-860c-8f61e9bbe049%40googlegroups.com.
time isn't passing, it's you passing.
❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂
❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁ ❂ ❁
Reply all
Reply to author
Forward
0 new messages