[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Openvds-devel] The port 80 problem
From: |
Simon Garner |
Subject: |
[Openvds-devel] The port 80 problem |
Date: |
Fri, 14 Dec 2001 18:06:02 +1300 |
Hi,
I've decided that binding Apache to port 8080 and using iptables to forward
port 80, to enable Apache to be started as non-root, is not at all
satisfactory, for the following reasons:
1) Apache insists on using port 8080 when generating self-referencing URLs
(even with UseCanonicalName off). This has the following effects:
a) Typing directory names without the trailing slash redirects the user
to domain.dom:8080. I have a client who has an admin page for their site in
a directory called /maintain which is protected with HTTP basic
authentication. If they type the URL http://www.foobar.dom/maintain in their
browser, they are prompted for the password, then redirected to
http://www.foobar.dom:8080/maintain/ and prompted for the password again,
which is somewhat irritating.
b) Some third-party PHP and CGI scripts generate self-referencing URLs
based on the SERVER_NAME and SERVER_PORT environment variables, which again
gives domain.dom:8080.
These can be worked around, e.g. by telling users to type the trailing
slash in the first place, but I'm not happy selling a product with quirks
like this.
2) There's the possibility the Port 8080 setting in httpd.conf may confuse
some users. They may try to "fix" it by changing the setting to Port 80,
thus breaking their server.
3) The port forwarding only works for traffic originating from other hosts,
not the host server or virtual servers on that host server (as discussed
previously). Some users may wish to access their site using e.g. lynx or
wget while ssh'd into their virtual server, and find it does not work. This
will require explaining to users the workings of the port 8080 forwarding
and asking them to connect to their site on port 8080. I imagine this will
appear as a bit of a "kludge" to them, and reduce their confidence in the
service.
The solution? Well, Idaya's process capabilities patch for Apache sounds
great (although who knows if they'll share it with us?), but that is not
available yet and I need to resolve this issue now.
I noticed that included with freeVSD is a patch for linux-2.2.19 which
changes the port binding restrictions in the linux kernel, to enable any
user to bind to ports 80 and 443.
I've modified this patch to make it work with linux-2.4.16. You can find the
new patch file here if interested:
http://www.expio.co.nz/~sgarner/freevsd/linux-2.4.16-vsd.patch.txt
Regards,
Simon Garner
- [Openvds-devel] Is FreeVSD still open source?, Dave Cost, 2001/12/12
- RE: [Openvds-devel] Is FreeVSD still open source?, Clint Nelissen, 2001/12/13
- [Openvds-devel] The port 80 problem,
Simon Garner <=
- Re: [Openvds-devel] The port 80 problem, Chris Fulton, 2001/12/14
- Re: [Openvds-devel] The port 80 problem, Simon Garner, 2001/12/14
- Re: [Openvds-devel] The port 80 problem, Marcos Rubinstein, 2001/12/14
- Re: [Openvds-devel] The port 80 problem, Simon Garner, 2001/12/14
- Re: [Openvds-devel] The port 80 problem, Marcos Rubinstein, 2001/12/14
- Re: [Openvds-devel] The port 80 problem, RoseHosting Admin, 2001/12/14
- RE: [Openvds-devel] The port 80 problem, Dave Cost, 2001/12/14
- Re: [Openvds-devel] The port 80 problem, Simon Garner, 2001/12/14
- Re: [Openvds-devel] The port 80 problem, Urivan Saaib, 2001/12/14
- Re: [Openvds-devel] The port 80 problem, Simon Garner, 2001/12/14