Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Privilege drop support for bin/node-http-proxy via --user <username> parameter #203

Closed
wants to merge 6 commits into from

4 participants

@niallo

Problem: Don't want to run my standalone proxy server as root to bind to privileged ports (e.g. 80, 443).

Solution: support privilege drop after socket bind via new --user parameter.

Example:

sudo node-http-proxy --user nobody --port 80 --target localhost:3000

@niallo

Also added support for setting the "ca" option to createServer() via config.json. This is necessary if you have an SSL cert which requires additional CA certs (like many cheap SSL certs do these days).

@astronouth7303

Would that affect GH-193?

@niallo

No, but making requestCert settable via the config file as I did with ca in this diff should also solve it.

@indexzero
Owner

lgtm. I'll look into merging this soon.

@niallo

@indexzero thanks, that would be great.

@svnlto

+1

@indexzero
Owner

Cherry-picked. Thanks!

@indexzero indexzero closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 27, 2012
  1. @niallo

    problem: don't want to run my server as root to bind to privileged po…

    niallo authored
    …rts (e.g. 80, 443).
    
    solution: support privilege drop after socket bind via new --user <username> parameter.
  2. @niallo
  3. @niallo

    fix loop

    niallo authored
  4. @niallo

    typo

    niallo authored
  5. @niallo

    another typo *sigh*

    niallo authored
  6. @niallo
This page is out of date. Refresh to see the latest.
Showing with 25 additions and 4 deletions.
  1. +25 −4 bin/node-http-proxy
View
29 bin/node-http-proxy
@@ -16,6 +16,7 @@ var help = [
" --target HOST:PORT Location of the server the proxy will target",
" --config OUTFILE Location of the configuration file for the proxy server",
" --silent Silence the log output from the proxy server",
+ " --user USER User to drop privileges to once server socket is bound",
" -h, --help You're staring at it"
].join('\n');
@@ -24,8 +25,10 @@ if (argv.h || argv.help || Object.keys(argv).length === 2) {
}
var location, config = {},
- port = argv.port || 80,
- target = argv.target;
+ port = argv.port || 80,
+ target = argv.target
+ user = argv.user
+ ;
//
// If we were passed a config, parse it
@@ -41,11 +44,21 @@ if (argv.config) {
}
//
-// If `config.https` is set, then load those files into the config options.
+// If `config.https` is set, then load the required file contents into the config options.
//
if (config.https) {
Object.keys(config.https).forEach(function (key) {
- config.https[key] = fs.readFileSync(config.https[key], 'utf8');
+ // If CA certs are specified, load those too.
+ if (key === "ca") {
+ for (var i=0; i < config.https.ca.length; i++) {
+ if (config.https.ca === undefined) {
+ config.https.ca = [];
+ }
+ config.https.ca[i] = fs.readFileSync(config.https[key][i], 'utf8');
+ }
+ } else {
+ config.https[key] = fs.readFileSync(config.https[key], 'utf8');
+ }
});
}
@@ -79,6 +92,14 @@ else {
//
server.listen(port);
+
+//
+// Drop privileges if requested
+//
+if (typeof user === 'string') {
+ process.setuid(user);
+}
+
//
// Notify that the server is started
//
Something went wrong with that request. Please try again.