How can we run Kurento on port 80 instead of 8888?

[ma...@mobilea.nl]

Hi,

To be able to use the Kurento Media Server on mostly all networks it would be better to serve the Kurento Media Server on port 80 instead of port 8888.

In the kurento.conf.json I changed to port to 80, but then Kurento fails to start. I am sure port 80 isn't in use.

How to run Kurento on port 80? Maybe set a proxy in front with Nginx or so? Any suggestions on getting port 80 up and running?

Regards,

Mark

[Ivan Gracia]

Only processes owned by root can bind to ports < 1024. Just make the user root run KMS, and you should be fine. It’s in /etc/defaults/kurento

​sfdgsdf can read this answer on unp

Ivan Gracia

--
You received this message because you are subscribed to the Google Groups "kurento" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kurento+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ma...@mobilea.nl]

I am aware that only the root user can open ports below 1024.

I also saw the user located in the file you mention, but when I change that one to root it also means that kurento will be running as root all the time.

I would prefer that Kurento uses the root rights on start to open port 80 and than use the kurento user to run the application. Just like Apache, Nginx and other tools do. Now there is a security risk when someone compromises Kurento and somehow executes shell commands (as root!)

Any plans of changing this?

Mark

[Ivan Gracia]

Proxying via nginx or similar would be the way to go, if you don't want KMS to run under root.

May I ask why are you interested in running on port 80 instead of 8888? There's no difference in security, and I assume that the applicaiton servers that control the KMS will be located in your server network, so there should be no access to the WS port from clients. Except of course you are developing a browser-baser app that does connect directly with KMS, or want to offer KMS as a service.

Ivan Gracia

--

[ma...@mobilea.nl]

Ivan,

We are developing a browser/android/ios application and most of our development is running from the cloud. Also to test if all goes well when deploying the application we need to test with a server in the cloud. So that is why we have KMS on a server online. I want to run it on port 80 so the firewall let's us go through. I also have signed all paper work for the closed beta of your elasticRTC solution. Untill then we will be developing on our own server deployed to the cloud.

Regards,

Mark

[Ivan Gracia]

The question is if your apps connect directly to your media server, or if the signalling goes through a different server. I can't imagine a commercial app not going through an app server somewhere, at least for registering, accountability or whatever. In that case, I would recommend closing the media server to the outer world and allowing only your app server to connect to the WS port in your KMS, as there is no authentication or authorization mechanism. 

The most typical and safe deployment is allowing only UDP connections to the media server, so there can be media flowing, and having only well-known and controlled hosts consuming the WS port.

Ivan Gracia