On Wed, Jun 23, 2010 at 1:47 PM, Mario Moura <[email protected]> wrote: > Hi Folks > > Basic everyone use a third httpServer(apache, nginx, lighttpd) to make > reverse proxy: > > But If I want server with PasteHttpServer like: > > production.ini > [server:main] > use = egg:Paste#http > host = myapps > port = 80 > ....... > > (ENV)[somehideu...@localhost myapps.com]$ paster serve production.ini > > Wich disadvantage? > > Of course I know that port 80 in Paster can only open with root. Why? > Serious Why?
It's a basic requirement of Unix. Only root can open ports 1-1023. That reassures network peers that only sysadmin-sanctioned software is running on those ports. Otherwise you could send an SSH request to port 23 and it might do something quite different like log your password and then quit with a fake error. (Of course ssh passwords are encrypted, but you see the general problem.) When this system was set up a long time ago, there were a lot fewer services, so they all fit below #1024. Now there are a lot more services, so newer ones like irc and mysql are outside that zone. But the limitation still remains. > and if I want server my apps with myHideSuperSecretUser! Let me say a > RegularUser. How? You would need a program that opens the port and then changes the effective user. I'm not sure if PasteHTTPServer itself does this, but you can run it under Supervisord or a similar daemon manager, which has this capability. The main reasons for running Pylons behind a "real" web server are (1) performance, (2) security, (3) ability to fix a malformed HTTP request. PasteHTTPServer is suitable only for low-traffic sites. CherryPy is considered more robust. The security issue is that Apache/Nginx/Lighthttpd were written by web server experts and have many years of testing and bugfixes behind them. PasteHTTPServer was written for development, and has not been subject to security audits like the dedicated webservers have. The HTTP-fixing ability is that there are all kinds of clients out there which don't necessarily know what they're doing. A malformed request could crash PasteHTTPServer, but Apache would just rewrite it to make it compliant. This is theoretical, I've never actually heard of a specific bad request that did that, but other people I've talked to and documentation I've read suggest that this is a real possibility, and that a "real" web server is a prudent antidote to it. Other reasons for using a real webserver are to use the modules: mod_rewrite, mod_ssl, mod_auth, mod_php (ugh), etc. Also, it can serve static files much faster than Pylons can, so it's traditional to have Apache serve things in the 'public' directory (by not proxying them). You can also use that X-Sendfile feature that was discussed a couple weeks ago, to have the Pylons app return a filename which Apache serves. > "paster http server" in port 5000/8080 is absolute amazing! Why I cant use > in port 80? If I can please pardon! How? It has to be a high port, as mentioned above. 8080 is traditional and is used by Zope/Plone among other things. So 5000 was chosen to not conflict with other things that may be running. -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
