[racket] Running a webserver on port 80

From: Neil Van Dyke (neil at neilvandyke.org)
Date: Fri Dec 9 21:09:11 EST 2011

Jay McCarthy wrote at 12/09/2011 08:38 PM:
> On Fri, Dec 9, 2011 at 5:36 PM, Jordan Schatz <jordan at noionlabs.com 
> <mailto:jordan at noionlabs.com>> wrote:
>
>     What is considered the best way to run a web server as non-root and
>     accept connections on port 80?
>
[...]
>
> I don't like to start it as root at all. I prefer to start a high port 
> and install a firewall redirect as you mention.

What Jay said.  In general, you really don't want to be starting Racket 
processes as "root".  One reason: although Racket-based servers are 
typically more secure than servers implemented in C/C++, the C/C++ 
servers aren't potentially downloading and executing arbitrary code from 
PLaneT at process startup, like Racket apps typically do.  If PLaneT is 
compromised or impersonated, or someone just uploads a package with a 
nasty bug, not running as "root" might reduce damage.[*]

One alternative to redirecting port at the OS level: some people use 
another process as an HTTP front-end, on port 80 (or 443), proxying to 
the Racket server process (on an unprivileged port, and not 
started/running as "root").  This front-end process could be Apache 
(perhaps doing additional things, like authentication), or a 
load-balancer, or a firewall.  The other process might even be on 
another machine, perhaps gatewaying to a private network, or directing 
to compartmentalized VMs.

[*] Yes, I think this PLaneT trust problem should be addressed, before 
there's an incident.  Someone could get an MS or PhD out of the solution.

-- 
http://www.neilvandyke.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/users/archive/attachments/20111209/bb37c12f/attachment.html>

Posted on the users mailing list.