Deployment as stand-alone Web Server
If you create http web application such libmicrohttpd-based project using Fano CLI with --project-mhd
command, you can simply access application directly from Internet browser using host and port where application listen, for example http://localhost:8080
.
Other alternative is to run application behind reverse proxy web server such as Apache or Nginx.
Deploy with Fano CLI
Simplest way to setup Fano web application with reverse proxy web server is to deploy http application using Fano CLI, run with --deploy-http=[domain name]
.
Inside Fano web application project directory, run
$ sudo fanocli --deploy-http=myapp.me
Command above, will create virtual host for Apache web server, enabled virtual host configuration, reload Apache web server configuration and add entry to myapp.me
domain in /etc/hosts
.
To setup for nginx web server add --web-server=nginx
. Without it, it is assumed Apache web server.
$ sudo fanocli --deploy-http=myapp.me --web-server=nginx
If you want to setup manually without Fano CLI, read section below.
Skip adding domain name entry in /etc/hosts
By default --deploy-*
parameter will cause domain name entry is added in /etc/hosts
file. You may want to setup domain name with DNS server manually or you do not want to mess up with /etc/hosts
file. You can avoid it by adding --skip-etc-hosts
parameter.
$ sudo fanocli --deploy-http=myapp.me --skip-etc-hosts
Generate virtual host config to standard output
If you want to generate virtual host configuration without actually modifying
web server configuration, you can use --stdout
command line option.
This option will generate virtual host configuration and print it to standard output. It is useful if you want to deploy configuration manually.
Because it will not change any web server configuration, you do not need to run it with root privilege. So following code is suffice.
$ fanocli --deploy-http=myapp.me --stdout
Change host and port
By default, Fano CLI, --deploy-http
parameter will use 127.0.0.1
and 20477
as default host and port respectively. To use different value, you can edit generated virtual host configuration file or use --host
, --port
parameters when using --deploy-http
.
$ sudo fanocli --deploy-http=myapp.me --host=192.168.2.2 --port=4000
Apache with mod_proxy_http module
To deploy as http application with mod_proxy_http, you need to have mod_proxy_http
installed and loaded. This module is installed but not enabled by default.
Debian
To enable module,
$ sudo a2enmod proxy_http
$ sudo systemctl restart apache2
Create virtual host config and add ProxyPassMatch
, for example
<VirtualHost *:80>
ServerName www.example.com
DocumentRoot /home/example/public
<Directory "/home/example/public">
Options +ExecCGI
AllowOverride FileInfo
Require all granted
</Directory>
ProxyRequests Off
ProxyPassMatch /(css|images|js).* !
ProxyPassMatch ^/(.*)$ http://127.0.0.1:20477
</VirtualHost>
You may need to replace http://127.0.0.1:20477
with host and port where your
application is listening. If you use unix domain socket, you need to modify ProxyPassMatch
as follows
ProxyPassMatch ^/(.*)$ "unix:/path/to/app.sock|http://127.0.0.1/"
Line |http://127.0.0.1/
is required so mod_proxy_http
is called to handle request, although, host and port information are ignored.
Two ProxyPassMatch
lines tell Apache to serve requests for
files inside css
, images
, js
directories directly. For other, pass requests to our application.
On Debian, save it to /etc/apache2/sites-available
for example as fano-http.conf
Enable this site and reload Apache
$ sudo a2ensite fano-http.conf
$ sudo systemctl reload apache2
Fedora
The difference between Debian and Fedora regarding Apache mostly about default service name (Debian uses apache2
and Fedora uses httpd
), user which Apache run (Debian uses www-data
user while Fedora uses apache
) and default Apache configuration location.
- Create virtual host
Apache main configuration is stored in /etc/httpd/httpd.conf
. To add virtual host configuration, you can simply add entry to this file or prefered way is to create configuration in file /etc/httpd/conf.d/
directory.
In Fedora and Apache 2.4, /etc/httpd/conf.d/
directory will be search for additional configurations. So you can just create virtual host file inside this directory.
- Reload Apache service
Tell Apache to load configuration by running
$ sudo systemctl reload httpd
Nginx
Create virtual host configuration file in /etc/nginx/conf.d
directory, for example
server {
listen 80;
root /home/example.fano/public;
server_name example.fano;
error_log /var/log/nginx/example.fano-error.log;
access_log /var/log/nginx/example.fano-access.log;
location / {
try_files $uri @example.fano;
}
location @example.fano {
proxy_pass http://127.0.0.1:20477;
}
}
Change proxy_pass
to match host and port where application is listening.
Last two location
configurations tells Nginx to serve files directly if exists, otherwise pass it to our application.
Running on port 80 (http) or 443 (https)
Ports below 1024 can be opened only by root. If you want to serve HTTP request directly without reverse proxy, there are options
Redirect connections using firewall
You can redirect connections on port 80 to your application port, 8080 for example. Run as root
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
This has disadvantage in multi-user systems. If your application is shutdown, other users may bind to port 8080 and accidentally intercepting traffic to port 80 which may not what they want.
Use setuid
Run as root to bind port 80 and drop privileges and become lower privileged user as soon as port is successfully opened. This is what web server such Apache or nginx used.
Use CAP_NET_BIND_SERVICE
Linux kernel since 2.6.24 has capability to mark executable with CAP_NET_BIND_SERVICE
capability to allow bind to port.
sudo apt-get install libcap2-bin
sudo setcap 'cap_net_bind_service=+ep' /path/to/program
Issue with firewall
In Fedora-based distribution, firewall is active by default. Read Issue with firewall for more information.
Permission issue with SELinux
Running http application through reverse proxy may be subject to strict security policy of SELinux. Read Permission issue with SELinux for more information.