I am attempting to run BeepBeep through Mochiweb on Port 80. It works if I type sudo ./start_server.sh. Are there any security risks with running Mochiweb like this? If so how to remedy?
Thanks!
running any service as root has risk. It's hard to answer your question properly without more information though. Is this a production service or a dev instance you are running?
If production I would recommend running the mochiweb instance on a different port so it can run as a user and then using a proxy like nginx or apache to listen on 80 and forward the request.
You could start it on an unprivileged port and do port-forwarding in your firewall, so that port 80 goes to your unprivileged port.
Related
I have a domain name https://example.com that points to a vps server on amazon lightsail. I have several applications i want to run. The apps are in vue js and some in spring and i am using nginx as the web server.
The landing page is basically an app running on port 3000 but using reverse proxy to display it at the root of example.com on port 80
I would like to run another app like:
example.com/one, example.com/two and example.com/three where one, two and three are applications each running inside a docker container.
How would i go about configuring my apps in this way keeping in mind the apps are running separately inside docker?
I highly suggest using Caddy for this type of setup.
Nginx is awesome and you could use that for the same purpose.
But for what you want to do caddy will work perfectly.
Just make sure to run each container on a different port.
Then use caddy as a reverse proxy to each container:
https://medium.com/bumps-from-a-little-front-end-programmer/caddy-reverse-proxy-tutorial-faa2ce22a9c6
Lets say you have containers running on port 5000,8800 and 9000
the you could do:
example.com
reverse_proxy /one localhost:5000
reverse_proxy /two localhost:8800
reverse_proxy /three localhost:9000
Caddy is cool because it will also setup SSL via Letsencrypt.
I didn't have time or a server to test this now, but let me know if it works.
God bless :)
Docker can only route to different ports. It can not determine the container by a http-path.
You need a reverse proxy (RP).
You have two options:
Install RP on host
You can install the RP on your host machine. There are many pros, like you can use the certbot for automatic lets encrypt certs. And you have the opportunity to use more docker-containers.
For this you have to publish ports in docker to your hostmachine.
Use your docker-nginx as RP
You can also set your frontend as RP. Just put your docker-containers in a docker-network and add the RP-config to your nginx.
I have a docker container that is listening on port 80 (and 443) running on a server and accepting request for a sub-domain https://<subdomain1>.<domain>.com
Now I need to deploy another container on the same server and accept connections for another subdomain https://<subdomain2>.<domain>.com. The problem is that the container for subdomain1 is already running on port 80. For the new one, I can choose a different port on the host.
Is it possible to put nginx 'before' the container so it can redirect the traffic to different dockers accordingly? Also, ideally I wouldn't want to commit the old docker container and run it on a new port. I can stop and restart though.
You must use a reverse proxy (serve at port 80 and 443), maybe jwilder/nginx-proxy or Traefik stand in front of other containers.
This container will serve and redirect traffic to other Container running "random" port (not 80 and 443) like the image below.
I'm wondering if it is necessary to run an apache docker container when I already have an apache webserver installed on the host?
Since the host's own apache is listening on the ports 80 and 443, it has to proxypass requests to corresponding containers. Hence an apache docker container is hiding behind the hosts apache and listening on other ports different from 80 and 443. I think this will have a negative effect on performance...
The only downside I see though is that there is only one main apache server to handle all incoming requests on ports 80 and 443 for all virtual hosts. So apart from this what is the benefice on running an apache docker container behind the hosts own apache?
This is definitely redundant to have apache installed on server and apache container.
Docker is a tool meant to make your life easier. if you have only simple setup with single server, and you don't care about scalability/maintainability, then installing docker may be unnecessary hassle. but if you do care, then you might be better by switching to container instead the installed apache on the server
I suggest you read about docker advantages and decide for yourself
Is it possible to have a 2 docker containers serve on port 80 but different subdomains or hostnames?
Something like:
api.example.com goes to a node application
app.example.com goes to a Java application
Yes you can. using a proxy.
There is a project by jwilder/nginx-proxy which allows you to give your hostname via an enviroment variable which will than route your request to the appropriate container.
A good example of this implemented is given here: https://blog.florianlopes.io/host-multiple-websites-on-single-host-docker/
No. The first container you start will have exclusive access to the port, and if you try and start a second container on the same port it will fail.
Instead, use a load balancer such as Nginx or Traefik to handle the incoming traffic to port 80 and proxy it on to your two app containers based on host headers.
I want to run Grails on https on localhost. I have already configured HTTPS and can see the Apache page when localhost:443 is hit. Currently Grails runs on 8080. When I try running grails with grails -Dserver.port.https=443 run-app -https, I get Permission denied. I know this requires some kind of root access below port 1024. But when I try sudo grails run-app, this gives me command not found.
Any possible solutions?
Generally, it's a bad idea to run your web app as root. Practically speaking, your app becomes super exploitable. Any security flaw in your setup will suddenly give the attacker full root access to the server.
This is why it's more common to do one of the following:
Run a proxy such as apache or nginx or haproxy on port 443 with https, and grails on port 8080 without https. Set up the proxy to forward all requests to your grails app at 8080. Make sure the grails app only listens to localhost, so you can't go directly to yoursite.com:8080.
Run Grails at 8080, with https, only listening on localhost, and set up a netfilter/iptables rule to forward traffic on 443 to localhost 8080.
The two setups are essentialy the same. The main difference is whether to use a user level setup, or rely on an OS level service such as netfilters.