there's a way to run twisted without expose it behind a network port?
We have a wsgi servlet running behind apache/mod_wsgi.
This servlet need to send a message to a local Twisted instance. But, we are not finding a way to run this.
Our expected architecture layers:
apache_httpd > mod_wsgi > servlet > twisted
There's a way to run it?
Regards,
And Past
Twisted can accept input via standard input, via a UNIX socket (also known as a "socket file"), and via a locally bound TCP network port. None of these need necessarily expose your Twisted service to the outside world.
Related
I have a raspi machine behind NAT in my room, and I want to access it from the interenet using the URL.I found this article.
https://developers.cloudflare.com/cloudflare-one/tutorials/ssh
However, it required me to run the cloudflared program on the connecting client. I understand that this is for the security purpose. Does it possible to make the connect without running the cloudflared program on the client machine.
A follow-up question would be is it possible to ssh into ipv6 machine that using the same technique.
There are various options when it comes to connecting to a machine running on a private network:
Running cloudflared on the client (which you already found)
Installing the WARP client on the user side, then using cloudflared on the server side to expose the service securely. Finally, route the network traffic for the private network on the tunnel via WARP. This approach is described in a tutorial here
Cloudflare started also supporting in browser rendering of an SSH session. I have wrote a tutorial describing how to set it up here.
Approach (3) would do away with the need of running a client since it relies on a simple browser.
We are using traefik for simulating our production environment. We have multiple services running in kubernetes running in docker. Few of them are java applications. In this stack, a developer can come and deploy the code as per the git branches they are working on. So at a given point, we can have 100s of full fledged stack running. We use traefik for certificates resolution so that each stack can be hosted based on branch names and all.
Now I want to give developer the facility to debug their java applications. Its fairly simple to do it in java. You need to attach java agent while starting up the docker image for application. Basically we need to pass -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=37000 as JVM argument and JVM is ready to attach remote debuggers.
Now JVM is using JDWP protocol. And as far as I understand, it is a tcp protocol. Now my problem is: I want to traefik to create routes dynamically based on my docker service labels. That is also I am able to figure out. I used these labels in the docker service.
And this is how you connect to JVM remotely.
Now if in RULE, if is use HostSNI(*) then I cam able to connect to the container. But problem is when I am doing remote connection for debugging, traefik can direct my request to any container. And this whole thing won't work as expected.
I believe we must have some other supported function for TCP rule as well, apart from only HostSNI. What is your opinion on this ? Or Have I missed something here ?
I am using arangodb 2.8.5 on ubuntu 14.04 (64bit)
In config file, endpoint = ssl://0.0.0.0:443
fails to start with error msg in log "FATAL failed
to bind to endpoint 'ssl://0.0.0.0:443'. Please check whether another
instance is already running or review your endpoints configuration."
Ran netstat -lnpt. Only port 22 is in use by ssh
Server starts up and binds to port 8530 with ssl when using endpoint = ssl://0.0.0.0:8530. Admin website is accessible https://www.website.com:8530/.../
I want the admin ui to be accessible without the need for additional port 8530 i.e. https://www.website.com/. This was possible to set up in the earlier versions. What am i doing wrong or is this not possible anymore?
Small application so i am trying to avoid running another web server in front to forward requests to arango apps. Thank you very much for any direction.
Regards,
Anjan
The problem occurs in conjunction with ArangoDB dropping its root privileges to the specified user by
[server]
endpoint = ssl://0.0.0.0:443
uid=arangodb
This may become possible with ArangoDB 3.0 again, however currently you have to choose one of the workarounds to allow non-root processes to bind lower ports:
authbind
Using the iptables REDIRECT target to redirect a low port to a high port (the "nat" table is not yet implemented for ip6tables, the IPv6 version of iptables)
SELinux or AppArmor
Use the capabilities system available as of Linux kernel 2.6.24 and CAP_NET_BIND_SERVICE capability:
setcap 'cap_net_bind_service=+ep' /usr/sbin/arangod
And then anytime ArangoDB is executed thereafter it will get the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.
More details on the capabilities can be found at:
capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
setcap man page
"Bind ports below 1024 without root on GNU/Linux"
Can Azure Websites host Twisted applications? e.g. something like:
from twisted.internet import reactor
from twisted.web import server
site = server.Site(myresource)
reactor.listenTCP(80, site)
reactor.run()
From http://azure.microsoft.com/en-us/documentation/articles/web-sites-python-configure/ it sounds like only WSGI apps are supported, but just wanted to confirm from an Azure Websites expert that there's no way to directly run something like the above.
--
This excerpt from discussion with Glyph (Twisted author) in the #twisted.web IRC channel covers the Twisted half of this question:
16:53:28 glyph: twisted has a WSGI _container_
16:53:34 glyph: twisted _is not_ a WSGI application
16:53:36 glyph: in any part
16:53:43 glyph: so you can't make twisted into a WSGI app
16:53:55 glyph: you can maybe invoke some Twisted code _from_ a WSGI app
16:54:05 glyph: but what that example is doing is speaking HTTP, and WSGI applications have to speak WSGI, they are not allowed to speak HTTP directly.
16:56:47 tos9: crochet?
16:56:56 glyph: tos9: crochet can't eat the inbound HTTP socket
16:56:58 glyph: tos9: so it doesn't help
16:57:11 glyph: you could write a thing that did the _outgoing_ traffic with Twisted, but since you can't handle the inbound request, you're bummed
16:57:37 glyph: basically Twisted's job is doing network I/O and if you're inside a WSGI stack, someone else is already doing the job of doing the network I/O
If there is in fact no way to directly run something like this, it seems like choosing a language other than Python buys you more flexibility on Azure Websites. For example, from http://azure.microsoft.com/en-us/documentation/articles/web-sites-nodejs-develop-deploy-mac/ it looks like you can host a Node app on Azure Websites which speaks HTTP directly. Confirmations or corrections gratefully received.
Please check https://social.msdn.microsoft.com/Forums/en-US/ed1c80c4-4621-4d02-8902-6ecc1166ac8c/running-twisted-on-azure-websites?forum=windowsazurewebsitesprevie&prof=required for answer.
As you described in Running Twisted on Azure Websites .
What you said is right. For node.js, you can host a Node app on Azure Websites which speaks HTTP directly. Please refer to http://blogs.msdn.com/b/hanuk/archive/2012/05/05/top-benefits-of-running-node-js-on-windows-azure.aspx
For Python, there's no direct way run twiisted code via http.
Yes, it can. Their main page says
Azure supports any operating system, language, tool, and framework— from Windows to Linux, SQL Server to Oracle, C# to Java.
The page you referenced shows a basic template - it is an example of how to set up a particular WSGI application. You don't have to do it this way.
You can setup a virtual machine and put anything you like on it.
If Twisted doesn't require any specific binaries to be installed (no registry keys, hard coded path requirements, etc) then you can just copy the relevant binaries over with your website and invoke those bits instead.
I have a Rails app using Jruby that I would like to deploy for production. It's using Trinidad. I would like to run as port 80 without using root. Would authbind be a reasonable choice (on Ubuntu)? What's a good way to configure it?
You are running Jruby, ie. using a JVM? authbind intercepts the standard socket library calls (eg. bind() in socket.h). Unfortunately, Java (at least java 1.6+ in my experience) does not use the standard socket libraries, but uses much lower level syscalls, so authbind does not work with Java.
If you want to run tomcat on port ie, either use nginx or apache as a reverse proxy, or use iptables to rewrite the "destination port" on incoming packets. More details in the tomcat FAQ: http://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileges.3F