Deployment as stand-alone Web Server

If you create http web application such libmicrohttpd-based project using Fano CLI with --project-mhd command, you can simply access application directly from Internet browser using host and port where application listen, for example http://localhost:8080.

Other alternative is to run application behind reverse proxy web server such as Apache or Nginx.

Deploy with Fano CLI

Simplest way to setup Fano web application with reverse proxy web server is to deploy http application using Fano CLI, run with --deploy-http=[domain name].

Inside Fano web application project directory, run

$ sudo fanocli --deploy-http=myapp.me

Command above, will create virtual host for Apache web server, enabled virtual host configuration, reload Apache web server configuration and add entry to myapp.me domain in /etc/hosts.

To setup for nginx web server add --web-server=nginx. Without it, it is assumed Apache web server.

$ sudo fanocli --deploy-http=myapp.me --web-server=nginx

If you want to setup manually without Fano CLI, read section below.

Skip adding domain name entry in /etc/hosts

By default --deploy-* parameter will cause domain name entry is added in /etc/hosts file. You may want to setup domain name with DNS server manually or you do not want to mess up with /etc/hosts file. You can avoid it by adding --skip-etc-hosts parameter.

$ sudo fanocli --deploy-http=myapp.me --skip-etc-hosts

Generate virtual host config to standard output

If you want to generate virtual host configuration without actually modifying web server configuration, you can use --stdout command line option. This option will generate virtual host configuration and print it to standard output. It is useful if you want to deploy configuration manually.

Because it will not change any web server configuration, you do not need to run it with root privilege. So following code is suffice.

$ fanocli --deploy-http=myapp.me --stdout

Change host and port

By default, Fano CLI, --deploy-http parameter will use 127.0.0.1 and 20477 as default host and port respectively. To use different value, you can edit generated virtual host configuration file or use --host, --port parameters when using --deploy-http.

$ sudo fanocli --deploy-http=myapp.me --host=192.168.2.2 --port=4000

Apache with mod_proxy_http module

To deploy as http application with mod_proxy_http, you need to have mod_proxy_http installed and loaded. This module is installed but not enabled by default.

Debian

To enable module,

$ sudo a2enmod proxy_http
$ sudo systemctl restart apache2

Create virtual host config and add ProxyPassMatch, for example

<VirtualHost *:80>
     ServerName www.example.com
     DocumentRoot /home/example/public

     <Directory "/home/example/public">
         Options +ExecCGI
         AllowOverride FileInfo
         Require all granted
     </Directory>

    ProxyRequests Off
    ProxyPassMatch /(css|images|js).* !
    ProxyPassMatch ^/(.*)$ http://127.0.0.1:20477
</VirtualHost>

You may need to replace http://127.0.0.1:20477 with host and port where your application is listening. If you use unix domain socket, you need to modify ProxyPassMatch as follows

ProxyPassMatch ^/(.*)$ "unix:/path/to/app.sock|http://127.0.0.1/"

Line |http://127.0.0.1/ is required so mod_proxy_http is called to handle request, although, host and port information are ignored.

Two ProxyPassMatch lines tell Apache to serve requests for files inside css, images, js directories directly. For other, pass requests to our application.

On Debian, save it to /etc/apache2/sites-available for example as fano-http.conf

Enable this site and reload Apache

$ sudo a2ensite fano-http.conf
$ sudo systemctl reload apache2

Fedora

The difference between Debian and Fedora regarding Apache mostly about default service name (Debian uses apache2 and Fedora uses httpd), user which Apache run (Debian uses www-data user while Fedora uses apache) and default Apache configuration location.

  • Create virtual host

Apache main configuration is stored in /etc/httpd/httpd.conf. To add virtual host configuration, you can simply add entry to this file or prefered way is to create configuration in file /etc/httpd/conf.d/ directory.

In Fedora and Apache 2.4, /etc/httpd/conf.d/ directory will be search for additional configurations. So you can just create virtual host file inside this directory.

  • Reload Apache service

Tell Apache to load configuration by running

$ sudo systemctl reload httpd

Nginx

Create virtual host configuration file in /etc/nginx/conf.d directory, for example

server {
    listen 80;
    root /home/example.fano/public;
    server_name example.fano;
    error_log /var/log/nginx/example.fano-error.log;
    access_log /var/log/nginx/example.fano-access.log;

    location / {
        try_files $uri @example.fano;
    }

    location @example.fano {
        proxy_pass http://127.0.0.1:20477;
    }
}

Change proxy_pass to match host and port where application is listening.

Last two location configurations tells Nginx to serve files directly if exists, otherwise pass it to our application.

Running on port 80 (http) or 443 (https)

Ports below 1024 can be opened only by root. If you want to serve HTTP request directly without reverse proxy, there are options

Redirect connections using firewall

You can redirect connections on port 80 to your application port, 8080 for example. Run as root

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

This has disadvantage in multi-user systems. If your application is shutdown, other users may bind to port 8080 and accidentally intercepting traffic to port 80 which may not what they want.

Use setuid

Run as root to bind port 80 and drop privileges and become lower privileged user as soon as port is successfully opened. This is what web server such Apache or nginx used.

Use CAP_NET_BIND_SERVICE

Linux kernel since 2.6.24 has capability to mark executable with CAP_NET_BIND_SERVICE capability to allow bind to port.

sudo apt-get install libcap2-bin 
sudo setcap 'cap_net_bind_service=+ep' /path/to/program

Issue with firewall

In Fedora-based distribution, firewall is active by default. Read Issue with firewall for more information.

Permission issue with SELinux

Running http application through reverse proxy may be subject to strict security policy of SELinux. Read Permission issue with SELinux for more information.

Explore more