Running on Privileged Ports¶
For production, you might want to:
- make Crossbar.io listen on ports 80/443, which are the standard ports for both HTTP(S) and (secure) WebSocket
- run Crossbar.io under a dedicated non-root service user
However, Unix-like operating system by default do not allow programs that run non-root to listen on TCP/IP ports <1024.
There are different ways of achieving above, and those ways depend on the OS flavor you use (Linux, FreeBSD, etc).
Here we describe one way that works using Linux Capabilities on kernels >= 2.6.24.
sudo apt-get install libcap2-bin
Now allow the Crossbar.io and PyPy executables to bind privileged ports:
sudo setcap cap_net_bind_service=+ep `which crossbar` sudo setcap cap_net_bind_service=+ep `which pypy` Note that with above, any user on the host that is able to execute PyPy (or Crossbar) will be able to bind privileged ports *with any Python script*. If the host is used by others as well, you might want to restrict *execution permissions* on the binaries again. Also note that using capabilities will disable searching directories for shared libraries from ``LD_LIBRARY_PATH``. See `here <http://stackoverflow.com/questions/9843178/linux-capabilities-setcap-seems-to-disable-ld-library-path>`__
On FreeBSD, the range of privileged ports which only may be opened by
root-owned processes may be modified by the
net.inet.ip.portrange.reservedhigh sysctl settings.
The values default to the traditional range,
IPPORT_RESERVED - 1 (
To temporarily allow non-root process to bind ports <1024:
To make that setting persist reboots:
echo "net.inet.ip.portrange.reservedhigh=0" >> /etc/sysctl.conf