[racket] Running a webserver on port 80

From: Jordan Schatz (jordan at noionlabs.com)
Date: Fri Dec 9 22:36:10 EST 2011

I've decided to use iptables, and just not worry about IPv6 until
iptables fully supports it (I think that is actually coming pretty soon).

Perhaps a note about using iptables would be a good addition to:



On Fri, Dec 09, 2011 at 09:09:11PM -0500, Neil Van Dyke wrote:
> Jay McCarthy wrote at 12/09/2011 08:38 PM:
> >On Fri, Dec 9, 2011 at 5:36 PM, Jordan Schatz
> ><jordan at noionlabs.com <mailto:jordan at noionlabs.com>> wrote:
> >
> >    What is considered the best way to run a web server as non-root and
> >    accept connections on port 80?
> >
> [...]
> >
> >I don't like to start it as root at all. I prefer to start a high
> >port and install a firewall redirect as you mention.
> What Jay said.  In general, you really don't want to be starting
> Racket processes as "root".  One reason: although Racket-based
> servers are typically more secure than servers implemented in C/C++,
> the C/C++ servers aren't potentially downloading and executing
> arbitrary code from PLaneT at process startup, like Racket apps
> typically do.  If PLaneT is compromised or impersonated, or someone
> just uploads a package with a nasty bug, not running as "root" might
> reduce damage.[*]
> One alternative to redirecting port at the OS level: some people use
> another process as an HTTP front-end, on port 80 (or 443), proxying
> to the Racket server process (on an unprivileged port, and not
> started/running as "root").  This front-end process could be Apache
> (perhaps doing additional things, like authentication), or a
> load-balancer, or a firewall.  The other process might even be on
> another machine, perhaps gatewaying to a private network, or
> directing to compartmentalized VMs.
> [*] Yes, I think this PLaneT trust problem should be addressed,
> before there's an incident.  Someone could get an MS or PhD out of
> the solution.
> -- 
> http://www.neilvandyke.org/

Posted on the users mailing list.