I am using gorilla/mux package in golang, but there are some problems. The first is I have no permissions to use port 80 on my application becuase I cannot run the application from sudo as the $GOPATH is not set when using sudo.
Here is the error I get from my program:
$ go run app.go
2014/06/28 00:34:12 Listening...
2014/06/28 00:34:12 ListenAndServe: listen tcp :80: bind: permission denied
exit status 1
I am unsure if it will even work when I fix the sudo problem, because apache is already using port 80 and I am not sure if both my app and apache can "play nice" together.
Any advice on how to solve this would be great. Thank you.
Quoting elithar's comment,
You have two options: either turn off Apache (because only one service
can bind to a port), or (better!) use Apache's ProxyPass to proxy any
incoming requests to a specific Hostname to your Go server running on
port (e.g.) 8000. The second method is very popular, robust, and you
can use Apache to handle request logging and SSL for you.
Reverse Proxying
Using Apache on port 80 in this way is called a reverse proxy. It receives all incoming connections on port 80 (and/or port 443 for https) and passes them on, usually unencrypted, via internal localhost connections only, to your Go program running on whatever port you choose. 8000 and 8080 are often used. The traffic between Apache and your server is itself HTTP traffic.
Because your Go program does not run as root, it is unable to alter critical functions on the server. Therefore it gives an extra degree of security, should your program ever contain security flaws, because any attacker would gain only limited access.
FastCGI
You can improve the overall performance of the reverse proxying by not using HTTP for the connection from Apache to the Go server. This is done via the FastCGI protocol, originally developed for shell, Perl and PHP scripts, but working well with Go too. To use this, you have to modify your Go server to listen using the fcgi API. Apache FastCGI is also required. The traffic from Apache to your server uses a more compact format (not HTTP) and this puts less load on each end.
The choice of socket type is also open: instead of the usual TCP sockets, it is possible to use Unix sockets, which reduce the processing load even further. I haven't done this in Go myself, but the API supports the necessary bits (see a related question).
Nginx
Whilst all the above describes using Apache, there are other server products that can provide a reverse proxy too. The most notable is Nginx (Nginx reverse proxy example), which will give you small but useful performance and scalability advantages. If you have this option on your servers, it is worth the effort to learn and deploy.
Based on this previous answer about environment variables, I was able to solve the sudo problem easily.
https://stackoverflow.com/a/8636711/2576956
sudo visudo
added these lines:
Defaults env_keep +="GOPATH"
Defaults env_keep +="GOROOT"
Using ubuntu 12.04 by the way. I think the previous answer about the proxy for using port 80 is the correct choice, because after fixing the sudo issue I was given this error about port 80 instead:
$ sudo go run app.go
2014/06/28 01:26:30 Listening...
2014/06/28 01:26:30 ListenAndServe: listen tcp :80: bind: address already in use
exit status 1
Meaning the sudo command was fixed but the proxy binding would not work with another service already using port 80 (apache).
Related
I'm trying to run a node web app (built with meteor) on a Centos7 server running EasyApache4 with WHM cPanel. I'm trying to run it on a subdomain off of one of our main websites on port 8080.
When going to the subdomain on port 8080, the connection just times out, but can see the html when using curl to access it.
Does anyone have any ideas why it won't work through the browser, and also how I can get it to look like it's running straight from the subdomain instead of having to go directly to the port.
EDIT
Below is the curl we are using to view the html
curl http://subdomain.site.com:8080
Doing that brings back the html no problems
Had the same problem today. I am using Memset Centos7 server with WHM/CPanel, running EasyApache 4.
After trying everything I could think of, I realised that I had a basic firewall setup, which closed all ports that were not listed. After adding port 8080, it worked.
Used this:
sudo iptables -I INPUT 1 -i + -p tcp --dport 8080 -j ACCEPT
I am not 100% certain how secure this is, as I am still researching.
I am installing chef-server on this VPS that my friend let me borrow.
I was able to install chef and run chef-server-ctl reconfigure successfully.
I ran into problems because I need to change the iptable rules and I discovered that I cannot find chef-server running on any port or as a service.
When I run chef-server-ctl it seems to pass all the tests, so I know its API is working.
Where can I find that chef is running?
I need to change my iptables so that I can use knife to communicate with chef-server.
First off it sounds like you installed Chef Server, not Chef, important distinction :) Second, there is no specific process called chef-server. The frontend routing is handled by nginx which binds on port 443 and 80 (80 is just a redirector to 443 and can be blocked or disabled if desired). Internally we have a bunch of different smaller services like oc_erchef, bifrost, oc_id, etc. These all listen on localhost and are reached via Nginx.
You have installed Chef server and have reconfigured the server, you can't find a chef-server.
you can run below commands to check all the services that are running chef server
$ chef-server-ctl service-list
bookshelf*
nginx*
oc_bifrost*
oc_id*
opscode-chef-mover*
opscode-erchef*
opscode-expander*
opscode-solr4*
rabbitmq*
redis_lb*
postgresql*
To update the port number you need to update
/etc/chef-server/chef-server.rb - in Chef 11
/etcopscode/chef-server.rb - in Chef 12
nginx['non_ssl_port'] = portnumber
And also how are using knife command? Do you want ssl check to be passed then you need to add a line in knife.rb file
ssl_verify_mode: verify_none
'
I'm a Linux beginner and have a Linux Ubuntu 12.04 server. I've installed node.js and created a webserver script. That works fine, but it runs as root user.
I know that's not good (root-user & webserver = unsafe).
How can I run the webserver script as an non-root user? Does somebody know a good detailed tutorial or can give me some advice?
You have two options:
Listen on port 80
Run as root, start your app's listen() on port 80 and them immediately drop to non-root. This is what Apache does, for example. Not recommended since it's easy to get this wrong, and lots of other details (writing to log files, initialization required before you can listen, etc.). Not standard practice in node.
Listen on port >=1024*
Run as non-root, listen on a port >= 1024 (say: 8000, or 8080), and have someone else listen on port 80 and relay port 80 traffic to you. That someone else can be:
A load-balancer, NAT, proxy, etc. (Maybe an EC2 load balancer if you're running on EC2, e.g.)
Another http server, say Apache httpd or ngnix.
For an ngnix example, see this: Node.js + Nginx - What now?
you can just run node hello.js
I would like to run a node.js TCP server on port 80 on an Amazon EC2 instance of Amazon Linux. I have added 80 to the security group, but the problem is letting node.js bind to port 80, which normally requires root permission.
The easiest solution seems to be using authbind, but it isn't accessible from the EC2 yum repo. Is there an equivalent utility for Amazon Linux? Or some other workaround for this distro ? Or is it actually a bad idea to use authbind?
I ended up binding to a higher port and then using iptables to forward port 80 traffic to that port. Another option was to use an AWS load-balancer from incoming port 80 to a higher port on the ec2 instance.
It's a little tedious, but if you install gcc you can compile it from source. You can go here to get the 2.1.1 release. Click the link that says "Snapshot" to get a tar.gz file. I couldn't seem to download it directly using wget (had to download from web browser and then upload), YMMV.
If using systemd, you can use AmbientCapabilities to allow a service to bind to a lower port.
This is done through your service configuration file in the /etc/systemd/system directory:
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
...
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I'm on laptop (Ubuntu) with a network that use HTTP proxy (only http connections allowed).
When I use svn up for url like 'http://.....' everything is cool (google chrome repository works perfect), but right now I need to svn up from server with 'svn://....' and I see connection refused.
I've set proxy configuration in /etc/subversion/servers but it doesn't help.
Anyone have opinion/solution?
In /etc/subversion/servers you are setting http-proxy-host, which has nothing to do with svn:// which connects to a different server usually running on port 3690 started by svnserve command.
If you have access to the server, you can setup svn+ssh:// as explained here.
Update: You could also try using connect-tunnel, which uses your HTTPS proxy server to tunnel connections:
connect-tunnel -P proxy.company.com:8080 -T 10234:svn.example.com:3690
Then you would use
svn checkout svn://localhost:10234/path/to/trunk
Ok, this should be really easy:
$ sudo vi /etc/subversion/servers
Edit the file:
[Global]
http-proxy-host=my.proxy.com
http-proxy-port=3128
Save it, run svn again and it will work.
If you can get SSH to it you can an SSH Port-forwarded SVN server.
Use SSHs -L ( or -R , I forget, it always confuses me ) to make an ssh tunnel so that
127.0.0.1:3690 is really connecting to remote:3690 over the ssh tunnel, and then you can use it via
svn co svn://127.0.0.1/....
Okay, this topic is somewhat outdated, but as I found it on google and have a solution this might be interesting for someone:
Basically (of course) this is not possible on every http proxy but works on proxies allowing http connect on port 3690. This method is used by http proxies on port 443 to provide a way for secure https connections. If your administrator configures the proxy to open port 3690 for http connect you can setup your local machine to establish a tunnel through the proxy.
I just was in the need to check out some files from svn.openwrt.org within our companies network. An easy solution to create a tunnel is adding the following line to your /etc/hosts
127.0.0.1 svn.openwrt.org
Afterwards, you can use socat to create a tcp tunnel to a local port:
while true; do socat tcp-listen:3690 proxy:proxy.at.your.company:svn.openwrt.org:3690; done
You should execute the command as root. It opens the local port 3690 and on connection creates a tunnel to svn.openwrt.org on the same port.
Just replace the port and server addresses on your own needs.
when you use the svn:// URI it uses port 3690 and probably won't use http proxy
svn:// doesn't talk http, therefor there's nothing a http proxy could do.
Any reason why http doesn't work? Have you considered https? If you really need it, you probably have to have port 3690 opened in your firewall.
If you're using the standard SVN installation the svn:// connection will work on tcpip port 3690 and so it's basically impossible to connect unless you change your network configuration (you said only Http traffic is allowed) or you install the http module and Apache on the server hosting your SVN server.