| Author |
Message |
|
| Guest |
 Posted: Wed Nov 15, 2006 8:35 pm |
 |
|
|
Guest
|
Greetings,
I've been running/testing Yaws on port 8080 for a few weeks and have
now reached the point where I feel I can replace apache:80 with
yaws:80. However, I'm not clear on how to best run yaws on port 80
under a non-root user account ('www-data' in my case).
The docs talk about 'use_fdsrv', but also says that it doesn't
currently work for SSL, so that's out.
I've also seen mention of using iptables to redirect from :80 -> :8080
in which case I could continue running yaws on port 8080. I don't
like this idea though because it means I'd have essentially two copies
of the website running, one on port 8080 and another on the redirected
port 80, both reachable by the Internet. If the 8080 version of the
site gets leaked into search engines that's a problem. iptables is
also complex, and redirection doesn't work for localhost.
Then there's a patch to hack the Linux kernel into allowing non-root
users to open ports < 1024. I might consider this if it was a .CONFIG
option, but hand-hacking the Linux source means I have to apply a
custom patch every time I upgrade my kernel. Also, it's not clear
what unintended consequences such a patch might have on a production
system.
Any reason why Yaws doesn't just have a small piece of compiled C that
change uid to the non-root user once yaws is started by root? This
is how apache and every other httpd server that I can think of works.
What am I missing?
--
Cheers, L |
|
|
| Back to top |
|
| tobbe |
| Posted: Wed Nov 15, 2006 9:41 pm |
|
|
|
User
Joined: 19 Jan 2005
Posts: 274
Location: Stockholm, Sweden
|
|
| Back to top |
   
|
| Guest |
| Posted: Wed Nov 15, 2006 9:54 pm |
|
|
|
Guest
|
On 11/15/06, Torbjorn Tornkvist <tobbe@tornkvist.org> wrote:
> > I've been running/testing Yaws on port 8080 for a few weeks and have
> > now reached the point where I feel I can replace apache:80 with
> > yaws:80. However, I'm not clear on how to best run yaws on port 80
> > under a non-root user account ('www-data' in my case).
> >
> > The docs talk about 'use_fdsrv', but also says that it doesn't
> > currently work for SSL, so that's out.
>
> You can use 'stunnel' to terminate SSL and forward to another port.
Then I'd be running the site on two ports, the real port and the
forwarded port 443. Not a good option, but thanks anyway.
--
Cheers, L |
|
|
| Back to top |
|
| Guest |
| Posted: Wed Nov 15, 2006 10:45 pm |
|
|
|
Guest
|
|
| Back to top |
|
| Guest |
| Posted: Wed Nov 15, 2006 10:53 pm |
|
|
|
Guest
|
On 11/15/06, Claes Wikstrom <klacke@tail-f.com> wrote:
> Not necessarily, you could run stunnel:443 --> localhost:$ANYPORT
>
> That way you'd only advertise one port.
I guess that's possible. But think about how messy this becomes for a
whole server solution (port 80 & port 443).
> The change user code we had earlier sucked big-time.
Maybe the code could be improved then?
> The best solution is the BSD solution where a simple sysctl turns off the
> idiotic port 1024 restriction.
Not all of us run BSD. Also, there are systems where admins don't
want any user to be able to start up a service on a privileged port.
> About a year ago I also looked into linux capabilities which
> is meant to be used for precicely this. Couldn't get it to work the
> way I wanted though.
I also spent some time looking at this recently, and also couldn't get
it to work right. It also seems very poorly documented and not
utilized much which seems odd.
--
Cheers, L |
|
|
| Back to top |
|
| Guest |
| Posted: Wed Nov 15, 2006 11:47 pm |
|
|
|
Guest
|
|
| Back to top |
|
| Guest |
| Posted: Wed Nov 15, 2006 11:55 pm |
|
|
|
Guest
|
On 11/15/06, Bruce Fitzsimons <bruce@fitzsimons.org> wrote:
>
> Count László de Almásy wrote:
> > On 11/15/06, Claes Wikstrom <klacke@tail-f.com> wrote:
> >
> >
> >> The best solution is the BSD solution where a simple sysctl turns off the
> >> idiotic port 1024 restriction.
> >>
> >
> > Not all of us run BSD. Also, there are systems where admins don't
> > want any user to be able to start up a service on a privileged port.
> >
> >
> László,
>
> I think this is the core of your problem. Either you get permission to
> start the erlang vm as root on a privileged port or you don't. fd_srv
> still required root to bless it, so I don't think this is a huge win,
> and was a bit clunky.
>
> Klacke has described the workarounds available to you, these same
> workarounds apply to other virtual-machine based solutions -- see
> http://mail-archives.apache.org/mod_mbox/tomcat-users/200212.mbox/%3C3DEF6E69.9010201@joedog.org%3E
> for some discussion about the same issue for tomcat. Not that it helps.
>
> Putting a proxy such as http://www.apsis.ch/pound/ in front may be what
> you want. stunnel works, but requires ongoing maintenance per server.
> The other option is to put apache on the front, and proxy the dynamic
> bits to yaws, which is what I (and many others) do -- there is so much
> built on top of apache that it is hard to justify my effort of getting
> standard php apps (for example) to work properly/quickly/reliably
> against yaws -- you can, but wouldn't you rather be writing your
> application in erlang?
>
> I'm not knocking yaws, but it took me a while to recognise that I didn't
> want to be a trailblazer getting tested, stable, webapps (gallery for
> example) to work under yaws. I also decided I had more important things
> to do than reinvent some very well constructed wheels that happened to
> be in the wrong language :-)
As a point of reference I'm running yaws on a >1024 port with nginx as
the proxy. nginx is incredibly fast and scales WAY higher than pound.
It also does SSL.
Right now I'm putting roughly 6 req/sec to Yaws (currently in limited
beta), but on another project I've put over 500 req/sec through nginx
to a Python based web server (both single processes) with no problem.
I expect to scale at least as high per server on this Yaws project.
nginx also makes it very easy to upgrade and change configuration by
sending it signals, which results in zero downtime because it's
graceful.
-bob
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Erlyaws-list mailing list
Erlyaws-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/erlyaws-list
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Nov 16, 2006 12:08 am |
|
|
|
Guest
|
On 11/15/06, Bruce Fitzsimons <bruce@fitzsimons.org> wrote:
> Putting a proxy such as http://www.apsis.ch/pound/ in front may be what
> you want. stunnel works, but requires ongoing maintenance per server.
I hadn't heard of pound before, but will look into it, thanks. Looks
like there's a Debian package for it too.
> The other option is to put apache on the front, and proxy the dynamic
> bits to yaws, which is what I (and many others) do -- there is so much
> built on top of apache that it is hard to justify my effort of getting
> standard php apps (for example) to work properly/quickly/reliably
> against yaws -- you can, but wouldn't you rather be writing your
> application in erlang?
Part of my motivation is to completely get rid of Apache. It's large
and bloated, and even after using it for a decade, I barely understand
the complex configuration just enough to get it working. If you've
been following my messages on this list as of late, you'll see that I
have been trying to get standard php/cgi apps to work
properly/quickly/reliably under yaws by writing appmods and the like.
I've been successful at this. So far I have Wordpress (php), Mailman,
and MoinMoin all working perfectly under yaws. I feel confident that
more or less any app can be made to work under yaws with a bit of
erlang coding. Or at least, those that I use on my sites.
> but it took me a while to recognise that I didn't
> want to be a trailblazer getting tested, stable, webapps (gallery for
> example) to work under yaws.
Haha, I guess that's exactly what I've being doing, probably to the
annoyance of Klacke and others on here. 
--
Cheers, L |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Nov 16, 2006 12:10 am |
|
|
|
Guest
|
On 11/15/06, Bob Ippolito <bob@redivi.com> wrote:
> As a point of reference I'm running yaws on a >1024 port with nginx as
> the proxy. nginx is incredibly fast and scales WAY higher than pound.
> It also does SSL.
This is the Russian program, right?
I'll investigate this too. Also looks like there's a Debian package
for it. I love Debian.
Ideally using reverse proxy will only be necessary until the Erlang
fixes SSL enough to allow fdsrv to use it. Then I can use fdsrv
instead for simplicity and not having to maintain yet another software
package.
--
Cheers, L |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Nov 16, 2006 7:48 pm |
|
|
|
Guest
|
On 11/15/06, Count László de Almásy <calmasy@gmail.com> wrote:
> On 11/15/06, Bob Ippolito <bob@redivi.com> wrote:
>
> > As a point of reference I'm running yaws on a >1024 port with nginx as
> > the proxy. nginx is incredibly fast and scales WAY higher than pound.
> > It also does SSL.
>
> This is the Russian program, right?
Correct.
> I'll investigate this too. Also looks like there's a Debian package
> for it. I love Debian.
Yes, it's the Russian one. The English docs are up to snuff these days though.
FWIW, I tried Pound, and it fell over because it depends on
thread-per-connection. I can't recommend using it in any production
scenario when you're expecting lots of load. It did handle more
traffic than Apache's mod_proxy, but that's really not saying a whole
lot.
I have heard of yet another player recently, Varnish. I have not tried
it nor do I know anyone else who is using it to handle a lot of
traffic. It might be worth looking at:
http://varnish.projects.linpro.no/
Whatever you end up using, I strongly recommend that you do *not*
bother with lighttpd. Its reverse proxy implementation leaks memory,
the code is pretty sloppy and they're very irresponsible about fixing
bugs on a reasonable time frame. Nginx on the other hand gets a new
release within days whenever something is discovered, and it has a
very descriptive changelog so it's easy to decide if it's worth
upgrading.
> Ideally using reverse proxy will only be necessary until the Erlang
> fixes SSL enough to allow fdsrv to use it. Then I can use fdsrv
> instead for simplicity and not having to maintain yet another software
> package.
Well, it doesn't sound like the Yaws implementation of reverse proxy
is trustworthy, nor does it have load balancing features. If you
wanted to run Apache+mod_dav_svn behind it, you'd probably be screwed.
I'd still recommend using a reverse proxy like nginx. You'll probably
need the load balancing capabilities eventually.
-bob
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Erlyaws-list mailing list
Erlyaws-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/erlyaws-list
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Nov 16, 2006 8:09 pm |
|
|
|
Guest
|
On 11/16/06, Bob Ippolito <bob@redivi.com> wrote:
> Well, it doesn't sound like the Yaws implementation of reverse proxy
> is trustworthy, nor does it have load balancing features.
How do you mean?
--
Cheers, L |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Nov 16, 2006 8:25 pm |
|
|
|
Guest
|
On 11/16/06, Count László de Almásy <calmasy@gmail.com> wrote:
> On 11/16/06, Bob Ippolito <bob@redivi.com> wrote:
> > Well, it doesn't sound like the Yaws implementation of reverse proxy
> > is trustworthy, nor does it have load balancing features.
>
> How do you mean?
The last changelog note on reverse proxy support for Yaws is:
"Many reverse proxy bugs fixed. Maybe the reverse proxy is actually
working now. It was never especially good. Try it. (mikl)"
I wouldn't really bother with that when I know there are other
solutions that work extremely well.
Load balancing is basically reverse proxy but you decide to send
traffic to a pool of servers based on some metric instead of just one
server.
-bob
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Erlyaws-list mailing list
Erlyaws-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/erlyaws-list
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Nov 16, 2006 8:34 pm |
|
|
|
Guest
|
On 11/16/06, Bob Ippolito <bob@redivi.com> wrote:
> The last changelog note on reverse proxy support for Yaws is:
> "Many reverse proxy bugs fixed. Maybe the reverse proxy is actually
> working now. It was never especially good. Try it. (mikl)"
>
> I wouldn't really bother with that when I know there are other
> solutions that work extremely well.
I don't really want to do reverse proxy though. I just want to set
``use_fdsrv = true'' in my yaws.conf and have it work for both port 80
as well as 443. Until the SSL support is there I will use nginx to
handle port 443.
--
Cheers, L |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Nov 16, 2006 10:14 pm |
|
|
|
Guest
|
|
| Back to top |
|
|
|
All times are GMT
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
|
|
Digg It
Del.icio.us
Reddit
Facebook
Stumble Upon
Technorati
