-
Notifications
You must be signed in to change notification settings - Fork 6
Port usage and firewall rules
The application listens for connections on the following ports by default, so you will need to ensure that any firewalls are configured accordingly:
Inbound connections:
| Port | Description |
|---|---|
| 8888/tcp | HTTP connections from end-user clients. You might want to redirect these via port 80 (see below) |
| 3000/tcp | HTTP connections to the admin console |
| 5984/tcp | Private HTTP to the database server (CouchDB). If you are running everything on the same server you can leave this port closed and use the loopback interface. Otherwise you should probably restrict access only to the servers running cdns-frontend and cdns-backend |
By convention most HTTP servers listen on port 80. However, it is not possible to bind to this port whilst running as a non-root user, so the application is configured to run on port 8888 by default.
One solution is to configure iptables to forward all traffic on port 80 to port 8888. This can be achieved using a firewall rule like this:
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 8888 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3000 -j ACCEPT
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8888
Be sure to set the correct interface (eth0 or eth1?) for your environment.
You might also need to enable forwarding:
sysctl net.ipv4.conf.eth0.forwarding=1
You can now start the application as root using sudo and have it setuid to an unprivliged user:
sudo CDNS_PORT=80 node cdns-frontend.js
All worker processes will run as the unprivileged user. However, the master process which is responsible for re-spawning workers will continue to operate as root.