best way to bind webserver to port 80 without running as root

Matthew Seaman m.seaman at
Wed Jan 4 11:42:44 UTC 2012

On 04/01/2012 10:10, Dino Vliet wrote:
> suddenly I'm facing this quest on freebsd 8. I need to bind my little
> webserver running aolserver to port 80. In the past I was always
> using port 8080 and had my router configured to forward requests on
> port 80 to the server on port 8080. However, I am planning to host my
> little site on a virtual server with a hosting company and figuredI
> can't use the workaround I always used. So my question is, how to
> bind aolserver to port 80 without running as root as I understood
> ports below 1024 can only be used by root. I found a sysctl
> net.inet.ip.portrange.reservedhigh which enables me to set it to 0.
> However, I don't know what the security ramifications are of using
> that. Are there any other options I could consider?

There are lots of ways to do this.  The hard part is deciding which one
is most appropriate.  Lets see...

    * Allow non-root to bind to port 80

      Yes, this does have security implications, but they may not be
      relevant in your situation.  If you can guarantee that any
      non-root process on your system is as trustworthy as a root owned
      process then it should be OK.  Meaning you don't have any other
      users and the system is secured against code injection attacks,

      Probably the hardest to get right, and not really anything I'd

    * Use one of the built-in firewalls to do port redirection.

      Similarly to the way you were using your router previously.
      So, for example in pf(4) you could do something like this:

        rdr pass inet proto tcp from any to $ext_if port 80
               -> port 8080

      Arrange for your aolserver instance to bind to the loopback
      interface port 8080 and you're all set.  You can use ipfw(8)
      to the same effect if preferred.  Note: this probably won't
      work if your virtual server is a jail, as in that case (a) you
      won't have a loopback interface you can use like that and (b)
      firewall rules would have to be setup in the host environment,
      not the jail.

    * Use a proxy server bound to port 80, that internally redirects
      queries to your aolserver on port 8080.  You can just do a direct
      proxy using eg. pound or apache or nginx or lighttpd so that
      every request is simply forwarded to the aolserver on port 80.
      Or you can get clever and

          -- serve static content (eg images, CSS etc.) by type directly
             from the proxy webserver.  This relieves your heavyweight
             app-server from dealing with all the trivial stuff and is
             much more efficient.

          -- Use the reverse proxy for SSL offload, if you're using
             HTTPS.  This can both simplify the configuration of your
             app server and provide a performance boost for some sites.

          -- Implement a reverse proxy /cache/.  Instead of going back
             to the origin server and regenerating each page every time
             anyone asks for it, cache a copy of the response the last
             time that page was requested and reply with that.  apache
             has a reasonably good proxy module, but consider also such
             packages as squid or varnish which are specifically
             written to do this.  Done right, this can make a huge
             difference to webserver performance.

Note: if you implement a reverse proxy cache, generally you don't need
to also implement the dispatching requests by type thing as well.
Static content should have a long TTL and be preferentially served out
of the cache thus achieving the same effect automatically.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list