I've decided to use iptables, and just not worry about IPv6 until iptables fully supports it (I think that is actually coming pretty soon).
Perhaps a note about using iptables would be a good addition to: http://docs.racket-lang.org/web-server-internal/Troubleshooting_and_Tips.html or http://docs.racket-lang.org/web-server/faq.html ? -Jordan On Fri, Dec 09, 2011 at 09:09:11PM -0500, Neil Van Dyke wrote: > Jay McCarthy wrote at 12/09/2011 08:38 PM: > >On Fri, Dec 9, 2011 at 5:36 PM, Jordan Schatz > ><jor...@noionlabs.com <mailto:jor...@noionlabs.com>> wrote: > > > > What is considered the best way to run a web server as non-root and > > accept connections on port 80? > > > [...] > > > >I don't like to start it as root at all. I prefer to start a high > >port and install a firewall redirect as you mention. > > What Jay said. In general, you really don't want to be starting > Racket processes as "root". One reason: although Racket-based > servers are typically more secure than servers implemented in C/C++, > the C/C++ servers aren't potentially downloading and executing > arbitrary code from PLaneT at process startup, like Racket apps > typically do. If PLaneT is compromised or impersonated, or someone > just uploads a package with a nasty bug, not running as "root" might > reduce damage.[*] > > One alternative to redirecting port at the OS level: some people use > another process as an HTTP front-end, on port 80 (or 443), proxying > to the Racket server process (on an unprivileged port, and not > started/running as "root"). This front-end process could be Apache > (perhaps doing additional things, like authentication), or a > load-balancer, or a firewall. The other process might even be on > another machine, perhaps gatewaying to a private network, or > directing to compartmentalized VMs. > > [*] Yes, I think this PLaneT trust problem should be addressed, > before there's an incident. Someone could get an MS or PhD out of > the solution. > > -- > http://www.neilvandyke.org/ _________________________________________________ For list-related administrative tasks: http://lists.racket-lang.org/listinfo/users
