RE: [Openvds-devel] The port 80 problem

openvds-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Openvds-devel] The port 80 problem

From:	Clint Nelissen
Subject:	RE: [Openvds-devel] The port 80 problem
Date:	Fri, 14 Dec 2001 07:30:50 -0800

Awesome Simon. Great work!

Clint Nelissen - Web/Systems Technician
Digital Internet Services Corporation
Phone - 760-776-0800 x 300
Fax - 760-776-0076
http://www.dis.net
 


-----Original Message-----
From: Simon Garner [mailto:address@hidden 
Sent: Thursday, December 13, 2001 9:06 PM
To: address@hidden
Subject: [Openvds-devel] The port 80 problem


Hi,

I've decided that binding Apache to port 8080 and using iptables to
forward
port 80, to enable Apache to be started as non-root, is not at all
satisfactory, for the following reasons:

1) Apache insists on using port 8080 when generating self-referencing
URLs
(even with UseCanonicalName off). This has the following effects:

    a) Typing directory names without the trailing slash redirects the
user
to domain.dom:8080. I have a client who has an admin page for their site
in
a directory called /maintain which is protected with HTTP basic
authentication. If they type the URL http://www.foobar.dom/maintain in
their
browser, they are prompted for the password, then redirected to
http://www.foobar.dom:8080/maintain/ and prompted for the password
again,
which is somewhat irritating.

    b) Some third-party PHP and CGI scripts generate self-referencing
URLs
based on the SERVER_NAME and SERVER_PORT environment variables, which
again
gives domain.dom:8080.

    These can be worked around, e.g. by telling users to type the
trailing
slash in the first place, but I'm not happy selling a product with
quirks
like this.

2) There's the possibility the Port 8080 setting in httpd.conf may
confuse
some users. They may try to "fix" it by changing the setting to Port 80,
thus breaking their server.

3) The port forwarding only works for traffic originating from other
hosts,
not the host server or virtual servers on that host server (as discussed
previously). Some users may wish to access their site using e.g. lynx or
wget while ssh'd into their virtual server, and find it does not work.
This
will require explaining to users the workings of the port 8080
forwarding
and asking them to connect to their site on port 8080. I imagine this
will
appear as a bit of a "kludge" to them, and reduce their confidence in
the
service.


The solution? Well, Idaya's process capabilities patch for Apache sounds
great (although who knows if they'll share it with us?), but that is not
available yet and I need to resolve this issue now.

I noticed that included with freeVSD is a patch for linux-2.2.19 which
changes the port binding restrictions in the linux kernel, to enable any
user to bind to ports 80 and 443.

I've modified this patch to make it work with linux-2.4.16. You can find
the
new patch file here if interested:

http://www.expio.co.nz/~sgarner/freevsd/linux-2.4.16-vsd.patch.txt

Regards,

Simon Garner


_______________________________________________
Openvds-devel mailing list
address@hidden
http://mail.freesoftware.fsf.org/mailman/listinfo/openvds-devel

[Prev in Thread]

Current Thread

[Next in Thread]

RE: [Openvds-devel] The port 80 problem, Clint Nelissen <=

Prev by Date: Re: [Openvds-devel] The port 80 problem
Next by Date: Re: [Openvds-devel] The port 80 problem
Previous by thread: [Fwd: Fw: [Openvds-devel] VDS Apache Features - Request for Comment]
Next by thread: [Openvds-devel] Hosting Server [OFF-TOPIC]
Index(es):
- Date
- Thread