My node.js applications I have listening on port 80 for http and 443 for https, which I believed was fairly standard practice.
我的node.js应用程序我在端口80上监听http,443监听https,我认为这是相当标准的做法。
However a number of examples I have read recently use other ports (e.g. 8080 and 8081) for listening to http/https, and then use other means such as iptables or ufw rules to serve ports 80 / 443 via rerouting packets to/from the others.
然而,我最近阅读的一些示例使用其他端口(例如8080和8081)来监听http / https,然后使用其他方式(如iptables或ufw规则)通过重新路由到其他端口的数据包来为端口80/443提供服务。
See two examples here and here.
请参阅此处和此处的两个示例。
So my question is why would I not want to listen directly to ports 80 and 443?
所以我的问题是为什么我不想直接听端口80和443?
Are there security issues at hand? Is it simply a case of these authors not having permissions to listen on ports lower than 1024 (I'd find this surprising?)? Do most people run Apache along side node? (I do not).
手头有安全问题吗?这只是一个案例,这些作者没有权限侦听低于1024的端口(我觉得这很令人惊讶吗?)?大多数人沿着侧节点运行Apache吗? (我不)。
Assuming there is a good reason for why I don't want to listen directly to 80 and/or 443, which method should I be using to relay traffic from 80 / 433 to my alternative ports of choice?
假设有一个很好的理由为什么我不想直接听80和/或443,我应该使用哪种方法将流量从80/433中继到我选择的备用端口?
I have mentioned iptables and ufw above, is one of these better than the others, or is there some other method I should be using? Does the answer depend on whether I'm balancing my load between processes?
我已经提到过上面的iptables和ufw,其中一个比其他的更好,还是我应该使用其他一些方法?答案取决于我是否在进程之间平衡负载?
Thanks in advance.
提前致谢。
1 个解决方案
#1
14
The first line of the first article you linked to mentions the reason.
您链接的第一篇文章的第一行提到了原因。
Standard practices say no non-root process gets to talk to
the Internet on a port less than 1024.
For node to bind to port 80 or 443, you would need to run it as root, which is not a good idea.
要将节点绑定到端口80或443,您需要以root身份运行它,这不是一个好主意。
The method you use to reroute traffic to the higher ports is up to you. The iptables is the least resource-intensive and simplest. Another method would be to use NginX/Apache to proxy to Node. I'd say the main benefit of that method is that you can then also serve things like static files from there, and not have to serve them through Node.
用于将流量重新路由到更高端口的方法取决于您。 iptables是资源最少且最简单的。另一种方法是使用NginX / Apache代理Node。我想说这种方法的主要好处是你可以从那里提供静态文件之类的东西,而不必通过Node提供它们。
Apache and NginX are both designed explicitly to be very good at serving static files, so they are extremely good at it, whereas Node is a whole JS environment, with all the overhead that involved. Node is great at handing lots of simultaneous connections, and it can certainly serve files perfectly well for normal loads, but it will use more resources than NginX to do it.
Apache和NginX都明确地设计为非常擅长提供静态文件,因此它们非常擅长,而Node是一个完整的JS环境,涉及所有开销。 Node非常适合处理大量的同步连接,它可以很好地为正常负载提供文件,但是它将使用比NginX更多的资源来完成它。
Using an HTTP-aware proxy like Apache/NginX also means that you can very easily set up multiple instances of Node to run different subdomains, or even different paths on the same domain.
使用像Apache / NginX这样的HTTP感知代理也意味着您可以非常轻松地设置多个Node实例来运行不同的子域,甚至可以在同一个域上运行不同的路径。
#1
14
The first line of the first article you linked to mentions the reason.
您链接的第一篇文章的第一行提到了原因。
Standard practices say no non-root process gets to talk to
the Internet on a port less than 1024.
For node to bind to port 80 or 443, you would need to run it as root, which is not a good idea.
要将节点绑定到端口80或443,您需要以root身份运行它,这不是一个好主意。
The method you use to reroute traffic to the higher ports is up to you. The iptables is the least resource-intensive and simplest. Another method would be to use NginX/Apache to proxy to Node. I'd say the main benefit of that method is that you can then also serve things like static files from there, and not have to serve them through Node.
用于将流量重新路由到更高端口的方法取决于您。 iptables是资源最少且最简单的。另一种方法是使用NginX / Apache代理Node。我想说这种方法的主要好处是你可以从那里提供静态文件之类的东西,而不必通过Node提供它们。
Apache and NginX are both designed explicitly to be very good at serving static files, so they are extremely good at it, whereas Node is a whole JS environment, with all the overhead that involved. Node is great at handing lots of simultaneous connections, and it can certainly serve files perfectly well for normal loads, but it will use more resources than NginX to do it.
Apache和NginX都明确地设计为非常擅长提供静态文件,因此它们非常擅长,而Node是一个完整的JS环境,涉及所有开销。 Node非常适合处理大量的同步连接,它可以很好地为正常负载提供文件,但是它将使用比NginX更多的资源来完成它。
Using an HTTP-aware proxy like Apache/NginX also means that you can very easily set up multiple instances of Node to run different subdomains, or even different paths on the same domain.
使用像Apache / NginX这样的HTTP感知代理也意味着您可以非常轻松地设置多个Node实例来运行不同的子域,甚至可以在同一个域上运行不同的路径。