I'm running a node.js server, that will serve requests on port 80 amongst others. Clearly this requires the application running as root (on Linux).
Looking at this post (http://syskall.com/dont-run-node-dot-js-as-root) as an example it's clear that there are simple ways to allow node to be run as a non-root user, but I'm wondering if anyone has views on the advantages/disadvantages of the different methods suggested:
code: use setuid() to drop down from root to non-priviledged user after listening on port 80 is established.
using a proxy server of some sort to redirect requests to a port >1024 (and so not need node to run as root)
using IP tables to forward to another port (ditto node would not run as root)
Thanks
Option 1 requires you launch the node server as root. Not ideal.
Option 2 adds overhead to every handled request and adds another failure point to your stack.
Option 3 Is the simplest and most efficient method.
To implement Option 3, add the following to your system init scripts. (/etc/rc.d/rc.local on RedHat based systems like AWS).
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
That will redirect requests from port 80 to port 3000.
(I haven't got enough reputation to add a comment the the one of Matt Browne, so I write this as an answer. Feel free to edit.)
There is a simpler method to load iptables rules automatically after a reboot than the one described in the link of Matt Browne: One can install iptables-persistent from the repositories using apt-get:
apt-get install iptables-persistent
Rules still need to be saved manually like this:
IPv4:
iptables-save > /etc/iptables/rules.v4
IPv6:
iptables-save > /etc/iptables/rules.v6
(Source: http://www.thomas-krenn.com/de/wiki/Iptables_Firewall_Regeln_dauerhaft_speichern (german))
I love the simplicity of this workaround:
sudo setcap 'cap_net_bind_service=+ep' `which node`
It also works for programs other than nodejs btw.
Basically as 2nd parameter you type the path to the program executable (like /usr/bin/nodejs on Ubuntu), in the above case which node should provide it dynamically, thus making this work independently from Linux distro.
Beware though that when you upgrade nodejs or the executable gets overwritten for some other reason you would have to execute that same command again.
Sources:
- How to: Allow Node to bind to port 80 without sudo,
- Is there a way for non-root processes to bind to "privileged" ports on Linux?
