-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using port 80 as non root user #943
Comments
While there's no callback for "post binding" in cohttp, you can avoid launching the binary as root on Linux by running:
This will then allow it to bind to a low port as a non privileged user. |
Thank you Anil for the idea! |
balat
added a commit
to ocsigen/ocsigenserver
that referenced
this issue
Apr 26, 2024
This feature is not supported by cohttp. In mirage/ocaml-cohttp#943, Anil suggest to do that instead: setcap 'cap_net_bind_service=+ep' <binary file> to bind a low port to a non-priviledged user I keep OCSIGENUSER in Makefile for install
balat
added a commit
to ocsigen/ocsigenserver
that referenced
this issue
Apr 26, 2024
This feature is not supported by cohttp. In mirage/ocaml-cohttp#943, Anil suggest to do that instead: setcap 'cap_net_bind_service=+ep' <binary file> to bind a low port to a non-priviledged user I keep OCSIGENUSER in Makefile for install
balat
added a commit
to ocsigen/ocsigenserver
that referenced
this issue
Apr 26, 2024
This feature is not supported by cohttp. In mirage/ocaml-cohttp#943, Anil suggest to do that instead: setcap 'cap_net_bind_service=+ep' <binary file> to bind a low port to a non-priviledged user I keep OCSIGENUSER in Makefile for install
balat
added a commit
to ocsigen/ocsigenserver
that referenced
this issue
Jun 7, 2024
This feature is not supported by cohttp. In mirage/ocaml-cohttp#943, Anil suggest to do that instead: setcap 'cap_net_bind_service=+ep' <binary file> to bind a low port to a non-priviledged user I keep OCSIGENUSER in Makefile for install
balat
added a commit
to ocsigen/ocsigenserver
that referenced
this issue
Jun 7, 2024
This feature is not supported by cohttp. In mirage/ocaml-cohttp#943, Anil suggest to do that instead: setcap 'cap_net_bind_service=+ep' <binary file> to bind a low port to a non-priviledged user I keep OCSIGENUSER in Makefile for install
balat
added a commit
to ocsigen/ocsigenserver
that referenced
this issue
Aug 21, 2024
This feature is not supported by cohttp. In mirage/ocaml-cohttp#943, Anil suggest to do that instead: setcap 'cap_net_bind_service=+ep' <binary file> to bind a low port to a non-priviledged user I keep OCSIGENUSER in Makefile for install
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
Ocsigen Server switched to cohttp recently. But there is still a regression:
For security reasons, we don't want to run the server as root user.
To bind port 80 or 443, the server needs to be launched as root, and we switch to another user after binding the ports.
But I don't see a way in cohttp to be alerted just after bind/listen (or to provide a callback to be executed at that moment).
This issue has been discussed here: https://discuss.ocaml.org/t/eliom-runtime-errors-zero-compile-time-errors/10537/14
Thanks by advance!
Vincent
The text was updated successfully, but these errors were encountered: