Re: [sage-devel] Re: Sage server port forwarding
On Friday, June 8, 2012 5:33:48 AM UTC+1, William wrote: > > > Maybe its also worth looking into authbind . I use it for quite a while > now > > to run sage.mderickx.nl nativily on a privaliged port. authbind is a > linux > > tool which allows you to configure which non privaleged users can use > which > > non privaleged ports. > > Just curious -- by "non privaleged" here do you mean "privileged"? > authbind is a linux tool which allows you to configure which non-privileged users can use which privileged ports. Its also a LD_PRELOAD hack so I'm not too fond of it. The best solution IMHO is to use the new (Linux kernel 2.6.24+) CAP_NET_BIND_SERVICE option. That is: setcap 'cap_net_bind_service=+ep' $SAGE_LOCAL/bin/python should do the trick. I haven't tried this () myself. There is slight improvement of the setcap technique with capsh as discussed on http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-1024-on-l -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
Re: [sage-devel] Re: Sage server port forwarding
On Thu, Jun 7, 2012 at 7:23 PM, Maarten Derickx wrote: > > > Le jeudi 7 juin 2012 05:20:02 UTC+2, Nils Bruin a écrit : >> >> As remarked on: >> >> http://wiki.sagemath.org/SageServer >> >> it's essentially impossible to safely run sage to natively listen on >> port 80 or port 443, because these are privileged ports and sage >> currently doesn't have convenient mechanisms to relinquish privileges >> after opening the port. >> > > Maybe its also worth looking into authbind . I use it for quite a while now > to run sage.mderickx.nl nativily on a privaliged port. authbind is a linux > tool which allows you to configure which non privaleged users can use which > non privaleged ports. Just curious -- by "non privaleged" here do you mean "privileged"? > Note that in my case I still can't use port 80 or 443 > since apache already needs to listen to those ports to server other > webpages. > > -- > To post to this group, send an email to sage-devel@googlegroups.com > To unsubscribe from this group, send an email to > sage-devel+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/sage-devel > URL: http://www.sagemath.org -- William Stein Professor of Mathematics University of Washington http://wstein.org -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
[sage-devel] Re: Sage server port forwarding
Le jeudi 7 juin 2012 05:20:02 UTC+2, Nils Bruin a écrit : > > As remarked on: > > http://wiki.sagemath.org/SageServer > > it's essentially impossible to safely run sage to natively listen on > port 80 or port 443, because these are privileged ports and sage > currently doesn't have convenient mechanisms to relinquish privileges > after opening the port. > > Maybe its also worth looking into authbind . I use it for quite a while now to run sage.mderickx.nl nativily on a privaliged port. authbind is a linux tool which allows you to configure which non privaleged users can use which non privaleged ports. Note that in my case I still can't use port 80 or 443 since apache already needs to listen to those ports to server other webpages. -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
[sage-devel] Re: Sage server port forwarding
On 6/6/12 10:20 PM, Nils Bruin wrote: Another solution is to use "iptables nat" to forward the port: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT -- to-port 8000 Just double-checking: this means that you run with secure=True, and the notebook itself does the SSL, right? Thanks, Jason -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
[sage-devel] Re: Sage server port forwarding
Nils Bruin writes: > As remarked on: > > http://wiki.sagemath.org/SageServer > > it's essentially impossible to safely run sage to natively listen on > port 80 or port 443, because these are privileged ports and sage > currently doesn't have convenient mechanisms to relinquish privileges > after opening the port. > > The solution on the above wikipage is to use Apache to set up a > forward proxy, delegating the SSL layer to Apache in the process. > > Another solution is to use "iptables nat" to forward the port: > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT -- > to-port 8000 > > Any comments on the pros and cons of these approaches? I thought one > of the pros is that iptables is virtually sure to be running already, > whereas apache might not be. I used iptables to run our university's Sage server on external port 80 but internal port 8000. It worked, and still works, without any problems. I agree that it would be good to mention this on the wiki page. -Keshav Join us in #sagemath on irc.freenode.net ! -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
[sage-devel] Re: Sage server port forwarding
On 6/6/12 10:20 PM, Nils Bruin wrote: As remarked on: http://wiki.sagemath.org/SageServer it's essentially impossible to safely run sage to natively listen on port 80 or port 443, because these are privileged ports and sage currently doesn't have convenient mechanisms to relinquish privileges after opening the port. The solution on the above wikipage is to use Apache to set up a forward proxy, delegating the SSL layer to Apache in the process. Another solution is to use "iptables nat" to forward the port: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT -- to-port 8000 Any comments on the pros and cons of these approaches? I thought one of the pros is that iptables is virtually sure to be running already, whereas apache might not be. If iptables is safe for this purpose, perhaps a good idea to add it to one of the wiki pages? There is also http://wiki.sagemath.org/DanDrake/JustEnoughSageServer which links to the first page, but the first does not link to that one. Perhaps add one? The instructions complement each other quite nicely. It's a wiki page; please edit it to make it better. I saw the SageServer instructions as an update to the JustEnoughSageServer instructions. Thanks, Jason -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org