[hunchentoot-devel] Best way to run Hunchentoot on Port 80, Proxy-Module for Hunchentoot
Andrey Moskvitin
archimag at gmail.com
Fri Oct 16 21:49:13 UTC 2009
> I am using sbcl, so I could use sb-posix:setuid after starting hunchentoot
> and gaining port 80, removing root-privileges.
(sb-posix::define-call "initgroups" int minusp (user c-string) (group
sb-posix::gid-t))
(sb-posix::define-call "prctl" int minusp (option int) (arg int))
(sb-posix:prctl +PR_SET_KEEPCAPS+ 1)
(sb-posix:setresgid gid gid gid)
(sb-posix:initgroups name gid)
(sb-posix:setresuid uid uid uid))
(load-shared-object (find-if #'probe-file
'("/lib/libcap.so.2" "/lib/libcap.so")))
(sb-posix::define-call "cap_from_text" (* char) null-alien (text c-string))
(sb-posix::define-call "cap_set_proc" int minusp (cap_p (* char)))
(sb-posix::define-call "cap_free" int minusp (cap_p (* char)))
(let ((cap_p (sb-posix:cap-from-text "CAP_NET_BIND_SERVICE=ep")))
(sb-posix:cap-set-proc cap_p)
(sb-posix:cap-free cap_p))
(hunchentoot:start (make-instance 'hunchentoot:acceptor :port 80))
I use this code for run http://lisper.ru/ Required libcap2. Tested on
Debian and Gentoo.
Full script: http://github.com/archimag/rulisp/blob/devel/rulisp-daemon.lisp
<http://lisper.ru/apps/format/15>
Andrey
2009/10/16 Christoph Senjak <christoph.senjak at googlemail.com>
> Hello.
>
> As I am really annoyed by the confusing configuration-"possibilities"
> of apache, and as lighttpd doesnt support what I want to do in its
> stable release, I want to run hunchentoot in the first place. However,
> there are two problems:
>
> At first, I cannot run a usermode-process listening on port 80. I am
> using sbcl, so I could use sb-posix:setuid after starting hunchentoot
> and gaining port 80, removing root-privileges. Or I could forward port
> 80 to port 8000 via firewall policies.
>
> I would prefer the first possibility. The question is, if there is
> anything millitating against starting hunchentoot as root and then
> using setuid. I.e. any security issues that could result from it,
> anything that maybe wont work, etc.
>
> Another thing is the question if there is some proxy- or
> passthrough-module for hunchentoot. I still have some php-pages I want
> to host (even though I will use lighttpd rather than apache for this),
> and would therefore need to pass them to another server in the
> background.
>
> Regards,
> Christoph Senjak
>
> _______________________________________________
> tbnl-devel site list
> tbnl-devel at common-lisp.net
> http://common-lisp.net/mailman/listinfo/tbnl-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/tbnl-devel/attachments/20091017/7ad660f3/attachment.html>
More information about the Tbnl-devel
mailing list