running a trinidad server (for Rails) under authbind? - ruby-on-rails-3

I have a Rails app using Jruby that I would like to deploy for production. It's using Trinidad. I would like to run as port 80 without using root. Would authbind be a reasonable choice (on Ubuntu)? What's a good way to configure it?

You are running Jruby, ie. using a JVM? authbind intercepts the standard socket library calls (eg. bind() in socket.h). Unfortunately, Java (at least java 1.6+ in my experience) does not use the standard socket libraries, but uses much lower level syscalls, so authbind does not work with Java.
If you want to run tomcat on port ie, either use nginx or apache as a reverse proxy, or use iptables to rewrite the "destination port" on incoming packets. More details in the tomcat FAQ: http://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileges.3F

Related

Cannot bind arango 2.8.5 to to endpoint ssl://0.0.0.0:443

I am using arangodb 2.8.5 on ubuntu 14.04 (64bit)
In config file, endpoint = ssl://0.0.0.0:443
fails to start with error msg in log "FATAL failed
to bind to endpoint 'ssl://0.0.0.0:443'. Please check whether another
instance is already running or review your endpoints configuration."
Ran netstat -lnpt. Only port 22 is in use by ssh
Server starts up and binds to port 8530 with ssl when using endpoint = ssl://0.0.0.0:8530. Admin website is accessible https://www.website.com:8530/.../
I want the admin ui to be accessible without the need for additional port 8530 i.e. https://www.website.com/. This was possible to set up in the earlier versions. What am i doing wrong or is this not possible anymore?
Small application so i am trying to avoid running another web server in front to forward requests to arango apps. Thank you very much for any direction.
Regards,
Anjan
The problem occurs in conjunction with ArangoDB dropping its root privileges to the specified user by
[server]
endpoint = ssl://0.0.0.0:443
uid=arangodb
This may become possible with ArangoDB 3.0 again, however currently you have to choose one of the workarounds to allow non-root processes to bind lower ports:
authbind
Using the iptables REDIRECT target to redirect a low port to a high port (the "nat" table is not yet implemented for ip6tables, the IPv6 version of iptables)
SELinux or AppArmor
Use the capabilities system available as of Linux kernel 2.6.24 and CAP_NET_BIND_SERVICE capability:
setcap 'cap_net_bind_service=+ep' /usr/sbin/arangod
And then anytime ArangoDB is executed thereafter it will get the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.
More details on the capabilities can be found at:
capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
setcap man page
"Bind ports below 1024 without root on GNU/Linux"

Using mod_security, either with Apache 2.4 or with mod_proxy as a reverse proxy

I would like to setup mod_security as a stand alone instance protecting Tomcat instances against web application attacks. Would anyone know the pros and cons of doing this via installing mod_security as an Apache module versus installing mod_security on a reverse proxy? Has anyone implemented mod_security in either of these fashions? And if so is one preferred over the other?
There's really no difference in your two options. What non reverse proxy would you install the module on to protect Tomcat?
The question doesn't really make sense as they are both the same to you.
If you already have an Apache server, then you install ModSecurity in one of two ways:
In embedded mode by installing ModSecurity as module in the existing Apache instance you already have. The advantages are that you won't have to set up a separate Apache instance, and that the ModSecurity will have access to the environment that Apache runs under (so can see environment variables for example or log to same log files).
In a reverse proxy mode. This involves setting up a separate Apache instance, with ModSecurity on it only, and funnel all requests through it, before sending on the requests to your normal Apache. The advantages here are a dedicated web server just for ModSecurity, so you will not share resources with your existing version of Apache, if it is already resource hungry. Disadvantages are that it doubles your infrastructure and the complications that brings.
Personally I prefer option 1.
However, as you want to set up a dedicated web server in front of TomCat, the two options are identical for you. The new instance of Apache (or Nginx) that you set up will be running it in embedded mode and will act as a reverse proxy to your Tomcat server.
Personally I always think it's best to run a dedicated web server like Apache in front of any app server like Tomcat - especially on a public facing website. Granted Tomcat does include a pretty good web server (called Coyote), which may serve most of your web server needs, but a dedicated web server like Apache is more geared towards serving static content and contains other features for performance and security which make it a better end point server (including the ability to run ModSecurity for example!).
And just in case there is any confusion, Apache is actually short for Apache HTTP Server, and is sometimes called Apache httpd after the process that it runs. It is Apache's most popular bit of software hence why the name gets shortened, but Apache actually have lots of bits of software (including Apache Tomcat - usually shortened just to Tomcat).

Best way to run a Plack PSGI Perl application outside of Apache using FastCGI?

I'm currently running Apache/mod_perl with a PSGI-application invoked by Plack::Handler::Apache2. The problem we have is each Apache process consumes a connection to the PostgreSQL database, which is expensive. To solve this, we plan to run the PSGI-application separate from Apache, and let all Apache processes communicate with it over a UNIX domain socket. What setup would you recommend in my case?
My plan is to run it using plackup:
plackup -s FCGI -E production --nproc 100 --daemonize --listen /tmp/myapp.sock \
/usr/local/bin/myapp.psgi
I asked the author of Plack, Tatsuhiko Miyagawa, if plackup -s FCGI is recommended for production purposes. He provided the following answer:
"while it could be used for production, i usually recommend using other
specialized servers such as Starman, Starlet or uwsgi. FCGI is an
exception because we don't have a specific FCGI daemon other than the
default Plack::Handler. We have a plan to split out FCGI out of Plack
core and make that a separate installation."
Now, until FCGI is splitted out of Plack, the question is therefore, what is the best possible way to run a PSGI application using FastCGI outside of Apache?
If you insist on using the FastCGI protocol, you can make Apache connect to an external FastCGI server using mod_fastcgi and the FastCgiExternalServer directive (note that mod_fcgid does not support this mode of operation). This should work with the FCGI handler built into Plack.
But as Tatsuhiko said, it's recommended to use a server like Starman or Starlet that works as reverse proxy over HTTP. So you would use mod_proxy on the Apache side. With Apache 2.4.7, it's also possible to communicate over Unix domain sockets.

Enforcing SSL in Play! Framework 2.1.3

I want to write a small back-end REST server using Play! Framework 2.1.3. This server will only serve WS requests, and all communication to it must be made over SSL. For this reason, I don't want to have an HTTP port open for this server at all.
I've seen this question regarding SSL on various Play! branches, and according to the linked discussion, the only way to open SSL port (which worked for me) is to add JAVA_OPTS before running the server, like so:
JAVA_OPTS=-Dhttps.port=9443 play run
This setting opens both HTTP and HTTPS ports for communication.
My questions are:
Is it possible to open the server only for SSL communication? How?
Is there a configuration file where I put this setting?
Thanks!
This is super easy with Play 2.2, not sure it works on 2.1.3, I didn't see it in the 2.1.x docs...but was in the 2.2.x docs...so give it a shot, it might be implemented.
Throw this in your configuration file :
http.port=disabled
Or you could run it with the command line option :
-Dhttp.port=disabled
http://www.playframework.com/documentation/2.2.x/ConfiguringHttps

Dual server deployment: PHP and Java

I need PHP for UI coding and I'll be making AJAX requests to a Java backend. I've never deployed two servers before. I'll need Apache for PHP and Tomcat for Java.
How can I do this?
You can run php through Tomcat as it is based on Apache. Here is a pretty simple tutorial to do so. http://nexus.zteo.com/2008/02/15/how-to-setup-php5-with-tomcat-5/
One possibility is to run a PHP interpreter written in Java directly in Tomcat and there is an open-source one called Quercus.
Well you can run both servers seperately but that would mean, that Tomcat will have to run on another port. You can also setup PHP with Tomcat as a CGI Script as already mentioned but I don't know if that'll offer the best performance.
In my experience the best way is to connect Tomcat with Apache is via mod_jk conenctor. You just have to tell Apache which pages to redirect to the Tomcat Server running behind it. Since you didn't give more information about your system environment I could only give you the link to the general documentation.