[racket] Running a webserver on port 80
I've decided to use iptables, and just not worry about IPv6 until
iptables fully supports it (I think that is actually coming pretty soon).
Perhaps a note about using iptables would be a good addition to:
http://docs.racket-lang.org/web-server-internal/Troubleshooting_and_Tips.html
or
http://docs.racket-lang.org/web-server/faq.html
?
-Jordan
On Fri, Dec 09, 2011 at 09:09:11PM -0500, Neil Van Dyke wrote:
> Jay McCarthy wrote at 12/09/2011 08:38 PM:
> >On Fri, Dec 9, 2011 at 5:36 PM, Jordan Schatz
> ><jordan at noionlabs.com <mailto:jordan at noionlabs.com>> wrote:
> >
> > What is considered the best way to run a web server as non-root and
> > accept connections on port 80?
> >
> [...]
> >
> >I don't like to start it as root at all. I prefer to start a high
> >port and install a firewall redirect as you mention.
>
> What Jay said. In general, you really don't want to be starting
> Racket processes as "root". One reason: although Racket-based
> servers are typically more secure than servers implemented in C/C++,
> the C/C++ servers aren't potentially downloading and executing
> arbitrary code from PLaneT at process startup, like Racket apps
> typically do. If PLaneT is compromised or impersonated, or someone
> just uploads a package with a nasty bug, not running as "root" might
> reduce damage.[*]
>
> One alternative to redirecting port at the OS level: some people use
> another process as an HTTP front-end, on port 80 (or 443), proxying
> to the Racket server process (on an unprivileged port, and not
> started/running as "root"). This front-end process could be Apache
> (perhaps doing additional things, like authentication), or a
> load-balancer, or a firewall. The other process might even be on
> another machine, perhaps gatewaying to a private network, or
> directing to compartmentalized VMs.
>
> [*] Yes, I think this PLaneT trust problem should be addressed,
> before there's an incident. Someone could get an MS or PhD out of
> the solution.
>
> --
> http://www.neilvandyke.org/