From: <ca...@gm...> - 2006-11-15 20:35:00
|
Greetings, I've been running/testing Yaws on port 8080 for a few weeks and have now reached the point where I feel I can replace apache:80 with yaws:80. However, I'm not clear on how to best run yaws on port 80 under a non-root user account ('www-data' in my case). The docs talk about 'use_fdsrv', but also says that it doesn't currently work for SSL, so that's out. I've also seen mention of using iptables to redirect from :80 -> :8080 in which case I could continue running yaws on port 8080. I don't like this idea though because it means I'd have essentially two copies of the website running, one on port 8080 and another on the redirected port 80, both reachable by the Internet. If the 8080 version of the site gets leaked into search engines that's a problem. iptables is also complex, and redirection doesn't work for localhost. Then there's a patch to hack the Linux kernel into allowing non-root users to open ports < 1024. I might consider this if it was a .CONFIG option, but hand-hacking the Linux source means I have to apply a custom patch every time I upgrade my kernel. Also, it's not clear what unintended consequences such a patch might have on a production system. Any reason why Yaws doesn't just have a small piece of compiled C that change uid to the non-root user once yaws is started by root? This is how apache and every other httpd server that I can think of works. What am I missing? --=20 Cheers, L=E1szl=F3 |
From: Torbjorn T. <to...@to...> - 2006-11-15 21:40:56
|
Count László de Almásy skrev: > Greetings, > > I've been running/testing Yaws on port 8080 for a few weeks and have > now reached the point where I feel I can replace apache:80 with > yaws:80. However, I'm not clear on how to best run yaws on port 80 > under a non-root user account ('www-data' in my case). > > The docs talk about 'use_fdsrv', but also says that it doesn't > currently work for SSL, so that's out. You can use 'stunnel' to terminate SSL and forward to another port. --Tobbe > > I've also seen mention of using iptables to redirect from :80 -> :8080 > in which case I could continue running yaws on port 8080. I don't > like this idea though because it means I'd have essentially two copies > of the website running, one on port 8080 and another on the redirected > port 80, both reachable by the Internet. If the 8080 version of the > site gets leaked into search engines that's a problem. iptables is > also complex, and redirection doesn't work for localhost. > > Then there's a patch to hack the Linux kernel into allowing non-root > users to open ports < 1024. I might consider this if it was a .CONFIG > option, but hand-hacking the Linux source means I have to apply a > custom patch every time I upgrade my kernel. Also, it's not clear > what unintended consequences such a patch might have on a production > system. > > Any reason why Yaws doesn't just have a small piece of compiled C that > change uid to the non-root user once yaws is started by root? This > is how apache and every other httpd server that I can think of works. > > What am I missing? > |
From: <ca...@gm...> - 2006-11-15 21:54:00
|
On 11/15/06, Torbjorn Tornkvist <to...@to...> wrote: > > I've been running/testing Yaws on port 8080 for a few weeks and have > > now reached the point where I feel I can replace apache:80 with > > yaws:80. However, I'm not clear on how to best run yaws on port 80 > > under a non-root user account ('www-data' in my case). > > > > The docs talk about 'use_fdsrv', but also says that it doesn't > > currently work for SSL, so that's out. > > You can use 'stunnel' to terminate SSL and forward to another port. Then I'd be running the site on two ports, the real port and the forwarded port 443. Not a good option, but thanks anyway. --=20 Cheers, L=E1szl=F3 |
From: Claes W. <kl...@ta...> - 2006-11-15 22:44:54
|
Count L=E1szl=F3 de Alm=E1sy wrote: >=20 > Then I'd be running the site on two ports, the real port and the > forwarded port 443. Not a good option, but thanks anyway. >=20 Not necessarily, you could run stunnel:443 --> localhost:$ANYPORT That way you'd only advertise one port. The change user code we had earlier sucked big-time. The best solution is the BSD solution where a simple sysctl turns off the idiotic port 1024 restriction. About a year ago I also looked into linux capabilities which is meant to be used for precicely this. Couldn't get it to work the way I wanted though. /klacke |
From: <ca...@gm...> - 2006-11-15 22:52:57
|
On 11/15/06, Claes Wikstrom <kl...@ta...> wrote: > Not necessarily, you could run stunnel:443 --> localhost:$ANYPORT > > That way you'd only advertise one port. I guess that's possible. But think about how messy this becomes for a whole server solution (port 80 & port 443). > The change user code we had earlier sucked big-time. Maybe the code could be improved then? > The best solution is the BSD solution where a simple sysctl turns off the > idiotic port 1024 restriction. Not all of us run BSD. Also, there are systems where admins don't want any user to be able to start up a service on a privileged port. > About a year ago I also looked into linux capabilities which > is meant to be used for precicely this. Couldn't get it to work the > way I wanted though. I also spent some time looking at this recently, and also couldn't get it to work right. It also seems very poorly documented and not utilized much which seems odd. --=20 Cheers, L=E1szl=F3 |
From: Bruce F. <br...@fi...> - 2006-11-15 23:47:20
|
Count L=E1szl=F3 de Alm=E1sy wrote: > On 11/15/06, Claes Wikstrom <kl...@ta...> wrote: > > =20 >> The best solution is the BSD solution where a simple sysctl turns off = the >> idiotic port 1024 restriction. >> =20 > > Not all of us run BSD. Also, there are systems where admins don't > want any user to be able to start up a service on a privileged port. > > =20 L=E1szl=F3, I think this is the core of your problem. Either you get permission to=20 start the erlang vm as root on a privileged port or you don't. fd_srv=20 still required root to bless it, so I don't think this is a huge win,=20 and was a bit clunky. Klacke has described the workarounds available to you, these same=20 workarounds apply to other virtual-machine based solutions -- see=20 http://mail-archives.apache.org/mod_mbox/tomcat-users/200212.mbox/%3C3DEF= 6E6...@jo...%3E=20 for some discussion about the same issue for tomcat. Not that it helps. Putting a proxy such as http://www.apsis.ch/pound/ in front may be what=20 you want. stunnel works, but requires ongoing maintenance per server.=20 The other option is to put apache on the front, and proxy the dynamic=20 bits to yaws, which is what I (and many others) do -- there is so much=20 built on top of apache that it is hard to justify my effort of getting=20 standard php apps (for example) to work properly/quickly/reliably=20 against yaws -- you can, but wouldn't you rather be writing your=20 application in erlang? I'm not knocking yaws, but it took me a while to recognise that I didn't=20 want to be a trailblazer getting tested, stable, webapps (gallery for=20 example) to work under yaws. I also decided I had more important things=20 to do than reinvent some very well constructed wheels that happened to=20 be in the wrong language :-) Cheers, Bruce |
From: Bob I. <bo...@re...> - 2006-11-15 23:54:36
|
T24gMTEvMTUvMDYsIEJydWNlIEZpdHpzaW1vbnMgPGJydWNlQGZpdHpzaW1vbnMub3JnPiB3cm90 ZToKPgo+IENvdW50IEzDoXN6bMOzIGRlIEFsbcOhc3kgd3JvdGU6Cj4gPiBPbiAxMS8xNS8wNiwg Q2xhZXMgV2lrc3Ryb20gPGtsYWNrZUB0YWlsLWYuY29tPiB3cm90ZToKPiA+Cj4gPgo+ID4+IFRo ZSBiZXN0IHNvbHV0aW9uIGlzIHRoZSBCU0Qgc29sdXRpb24gd2hlcmUgYSBzaW1wbGUgc3lzY3Rs IHR1cm5zIG9mZiB0aGUKPiA+PiBpZGlvdGljIHBvcnQgMTAyNCByZXN0cmljdGlvbi4KPiA+Pgo+ ID4KPiA+IE5vdCBhbGwgb2YgdXMgcnVuIEJTRC4gIEFsc28sIHRoZXJlIGFyZSBzeXN0ZW1zIHdo ZXJlIGFkbWlucyBkb24ndAo+ID4gd2FudCBhbnkgdXNlciB0byBiZSBhYmxlIHRvIHN0YXJ0IHVw IGEgc2VydmljZSBvbiBhIHByaXZpbGVnZWQgcG9ydC4KPiA+Cj4gPgo+IEzDoXN6bMOzLAo+Cj4g SSB0aGluayB0aGlzIGlzIHRoZSBjb3JlIG9mIHlvdXIgcHJvYmxlbS4gRWl0aGVyIHlvdSBnZXQg cGVybWlzc2lvbiB0bwo+IHN0YXJ0IHRoZSBlcmxhbmcgdm0gYXMgcm9vdCBvbiBhIHByaXZpbGVn ZWQgcG9ydCBvciB5b3UgZG9uJ3QuIGZkX3Nydgo+IHN0aWxsIHJlcXVpcmVkIHJvb3QgdG8gYmxl c3MgaXQsIHNvIEkgZG9uJ3QgdGhpbmsgdGhpcyBpcyBhIGh1Z2Ugd2luLAo+IGFuZCB3YXMgYSBi aXQgY2x1bmt5Lgo+Cj4gS2xhY2tlIGhhcyBkZXNjcmliZWQgdGhlIHdvcmthcm91bmRzIGF2YWls YWJsZSB0byB5b3UsIHRoZXNlIHNhbWUKPiB3b3JrYXJvdW5kcyBhcHBseSB0byBvdGhlciB2aXJ0 dWFsLW1hY2hpbmUgYmFzZWQgc29sdXRpb25zIC0tIHNlZQo+IGh0dHA6Ly9tYWlsLWFyY2hpdmVz LmFwYWNoZS5vcmcvbW9kX21ib3gvdG9tY2F0LXVzZXJzLzIwMDIxMi5tYm94LyUzQzNERUY2RTY5 LjkwMTAyMDFAam9lZG9nLm9yZyUzRQo+IGZvciBzb21lIGRpc2N1c3Npb24gYWJvdXQgdGhlIHNh bWUgaXNzdWUgIGZvciB0b21jYXQuIE5vdCB0aGF0IGl0IGhlbHBzLgo+Cj4gUHV0dGluZyBhIHBy b3h5IHN1Y2ggYXMgaHR0cDovL3d3dy5hcHNpcy5jaC9wb3VuZC8gIGluIGZyb250IG1heSBiZSB3 aGF0Cj4geW91IHdhbnQuIHN0dW5uZWwgd29ya3MsIGJ1dCByZXF1aXJlcyBvbmdvaW5nIG1haW50 ZW5hbmNlIHBlciBzZXJ2ZXIuCj4gVGhlIG90aGVyIG9wdGlvbiBpcyB0byBwdXQgYXBhY2hlIG9u IHRoZSBmcm9udCwgYW5kIHByb3h5IHRoZSBkeW5hbWljCj4gYml0cyB0byB5YXdzLCB3aGljaCBp cyB3aGF0IEkgKGFuZCBtYW55IG90aGVycykgZG8gLS0gdGhlcmUgaXMgc28gbXVjaAo+IGJ1aWx0 IG9uIHRvcCBvZiBhcGFjaGUgdGhhdCBpdCBpcyBoYXJkIHRvIGp1c3RpZnkgbXkgZWZmb3J0IG9m IGdldHRpbmcKPiBzdGFuZGFyZCBwaHAgYXBwcyAoZm9yIGV4YW1wbGUpIHRvIHdvcmsgcHJvcGVy bHkvcXVpY2tseS9yZWxpYWJseQo+IGFnYWluc3QgeWF3cyAtLSB5b3UgY2FuLCBidXQgd291bGRu J3QgeW91IHJhdGhlciBiZSB3cml0aW5nIHlvdXIKPiBhcHBsaWNhdGlvbiBpbiBlcmxhbmc/Cj4K PiBJJ20gbm90IGtub2NraW5nIHlhd3MsIGJ1dCBpdCB0b29rIG1lIGEgd2hpbGUgdG8gcmVjb2du aXNlIHRoYXQgSSBkaWRuJ3QKPiB3YW50IHRvIGJlIGEgdHJhaWxibGF6ZXIgZ2V0dGluZyB0ZXN0 ZWQsIHN0YWJsZSwgd2ViYXBwcyAoZ2FsbGVyeSBmb3IKPiBleGFtcGxlKSB0byB3b3JrIHVuZGVy IHlhd3MuIEkgYWxzbyBkZWNpZGVkIEkgaGFkIG1vcmUgaW1wb3J0YW50IHRoaW5ncwo+IHRvIGRv IHRoYW4gcmVpbnZlbnQgc29tZSB2ZXJ5IHdlbGwgY29uc3RydWN0ZWQgd2hlZWxzIHRoYXQgaGFw cGVuZWQgdG8KPiBiZSBpbiB0aGUgd3JvbmcgbGFuZ3VhZ2UgOi0pCgpBcyBhIHBvaW50IG9mIHJl ZmVyZW5jZSBJJ20gcnVubmluZyB5YXdzIG9uIGEgPjEwMjQgcG9ydCB3aXRoIG5naW54IGFzCnRo ZSBwcm94eS4gbmdpbnggaXMgaW5jcmVkaWJseSBmYXN0IGFuZCBzY2FsZXMgV0FZIGhpZ2hlciB0 aGFuIHBvdW5kLgpJdCBhbHNvIGRvZXMgU1NMLgoKUmlnaHQgbm93IEknbSBwdXR0aW5nIHJvdWdo bHkgNiByZXEvc2VjIHRvIFlhd3MgKGN1cnJlbnRseSBpbiBsaW1pdGVkCmJldGEpLCBidXQgb24g YW5vdGhlciBwcm9qZWN0IEkndmUgcHV0IG92ZXIgNTAwIHJlcS9zZWMgdGhyb3VnaCBuZ2lueAp0 byBhIFB5dGhvbiBiYXNlZCB3ZWIgc2VydmVyIChib3RoIHNpbmdsZSBwcm9jZXNzZXMpIHdpdGgg bm8gcHJvYmxlbS4KSSBleHBlY3QgdG8gc2NhbGUgYXQgbGVhc3QgYXMgaGlnaCBwZXIgc2VydmVy IG9uIHRoaXMgWWF3cyBwcm9qZWN0LgoKbmdpbnggYWxzbyBtYWtlcyBpdCB2ZXJ5IGVhc3kgdG8g dXBncmFkZSBhbmQgY2hhbmdlIGNvbmZpZ3VyYXRpb24gYnkKc2VuZGluZyBpdCBzaWduYWxzLCB3 aGljaCByZXN1bHRzIGluIHplcm8gZG93bnRpbWUgYmVjYXVzZSBpdCdzCmdyYWNlZnVsLgoKLWJv Ygo= |
From: <ca...@gm...> - 2006-11-16 00:10:11
|
On 11/15/06, Bob Ippolito <bo...@re...> wrote: > As a point of reference I'm running yaws on a >1024 port with nginx as > the proxy. nginx is incredibly fast and scales WAY higher than pound. > It also does SSL. This is the Russian program, right? I'll investigate this too. Also looks like there's a Debian package for it. I love Debian. Ideally using reverse proxy will only be necessary until the Erlang fixes SSL enough to allow fdsrv to use it. Then I can use fdsrv instead for simplicity and not having to maintain yet another software package. --=20 Cheers, L=E1szl=F3 |
From: Bob I. <bo...@re...> - 2006-11-16 19:48:16
|
T24gMTEvMTUvMDYsIENvdW50IEzDoXN6bMOzIGRlIEFsbcOhc3kgPGNhbG1hc3lAZ21haWwuY29t PiB3cm90ZToKPiBPbiAxMS8xNS8wNiwgQm9iIElwcG9saXRvIDxib2JAcmVkaXZpLmNvbT4gd3Jv dGU6Cj4KPiA+IEFzIGEgcG9pbnQgb2YgcmVmZXJlbmNlIEknbSBydW5uaW5nIHlhd3Mgb24gYSA+ MTAyNCBwb3J0IHdpdGggbmdpbnggYXMKPiA+IHRoZSBwcm94eS4gbmdpbnggaXMgaW5jcmVkaWJs eSBmYXN0IGFuZCBzY2FsZXMgV0FZIGhpZ2hlciB0aGFuIHBvdW5kLgo+ID4gSXQgYWxzbyBkb2Vz IFNTTC4KPgo+IFRoaXMgaXMgdGhlIFJ1c3NpYW4gcHJvZ3JhbSwgcmlnaHQ/CgpDb3JyZWN0LgoK PiBJJ2xsIGludmVzdGlnYXRlIHRoaXMgdG9vLiAgQWxzbyBsb29rcyBsaWtlIHRoZXJlJ3MgYSBE ZWJpYW4gcGFja2FnZQo+IGZvciBpdC4gIEkgbG92ZSBEZWJpYW4uCgpZZXMsIGl0J3MgdGhlIFJ1 c3NpYW4gb25lLiBUaGUgRW5nbGlzaCBkb2NzIGFyZSB1cCB0byBzbnVmZiB0aGVzZSBkYXlzIHRo b3VnaC4KCkZXSVcsIEkgdHJpZWQgUG91bmQsIGFuZCBpdCBmZWxsIG92ZXIgYmVjYXVzZSBpdCBk ZXBlbmRzIG9uCnRocmVhZC1wZXItY29ubmVjdGlvbi4gSSBjYW4ndCByZWNvbW1lbmQgdXNpbmcg aXQgaW4gYW55IHByb2R1Y3Rpb24Kc2NlbmFyaW8gd2hlbiB5b3UncmUgZXhwZWN0aW5nIGxvdHMg b2YgbG9hZC4gSXQgZGlkIGhhbmRsZSBtb3JlCnRyYWZmaWMgdGhhbiBBcGFjaGUncyBtb2RfcHJv eHksIGJ1dCB0aGF0J3MgcmVhbGx5IG5vdCBzYXlpbmcgYSB3aG9sZQpsb3QuCgpJIGhhdmUgaGVh cmQgb2YgeWV0IGFub3RoZXIgcGxheWVyIHJlY2VudGx5LCBWYXJuaXNoLiBJIGhhdmUgbm90IHRy aWVkCml0IG5vciBkbyBJIGtub3cgYW55b25lIGVsc2Ugd2hvIGlzIHVzaW5nIGl0IHRvIGhhbmRs ZSBhIGxvdCBvZgp0cmFmZmljLiBJdCBtaWdodCBiZSB3b3J0aCBsb29raW5nIGF0OgpodHRwOi8v dmFybmlzaC5wcm9qZWN0cy5saW5wcm8ubm8vCgpXaGF0ZXZlciB5b3UgZW5kIHVwIHVzaW5nLCBJ IHN0cm9uZ2x5IHJlY29tbWVuZCB0aGF0IHlvdSBkbyAqbm90Kgpib3RoZXIgd2l0aCBsaWdodHRw ZC4gSXRzIHJldmVyc2UgcHJveHkgaW1wbGVtZW50YXRpb24gbGVha3MgbWVtb3J5LAp0aGUgY29k ZSBpcyBwcmV0dHkgc2xvcHB5IGFuZCB0aGV5J3JlIHZlcnkgaXJyZXNwb25zaWJsZSBhYm91dCBm aXhpbmcKYnVncyBvbiBhIHJlYXNvbmFibGUgdGltZSBmcmFtZS4gTmdpbnggb24gdGhlIG90aGVy IGhhbmQgZ2V0cyBhIG5ldwpyZWxlYXNlIHdpdGhpbiBkYXlzIHdoZW5ldmVyIHNvbWV0aGluZyBp cyBkaXNjb3ZlcmVkLCBhbmQgaXQgaGFzIGEKdmVyeSBkZXNjcmlwdGl2ZSBjaGFuZ2Vsb2cgc28g aXQncyBlYXN5IHRvIGRlY2lkZSBpZiBpdCdzIHdvcnRoCnVwZ3JhZGluZy4KCj4gSWRlYWxseSB1 c2luZyByZXZlcnNlIHByb3h5IHdpbGwgb25seSBiZSBuZWNlc3NhcnkgdW50aWwgdGhlIEVybGFu Zwo+IGZpeGVzIFNTTCBlbm91Z2ggdG8gYWxsb3cgZmRzcnYgdG8gdXNlIGl0LiAgVGhlbiBJIGNh biB1c2UgZmRzcnYKPiBpbnN0ZWFkIGZvciBzaW1wbGljaXR5IGFuZCBub3QgaGF2aW5nIHRvIG1h aW50YWluIHlldCBhbm90aGVyIHNvZnR3YXJlCj4gcGFja2FnZS4KCldlbGwsIGl0IGRvZXNuJ3Qg c291bmQgbGlrZSB0aGUgWWF3cyBpbXBsZW1lbnRhdGlvbiBvZiByZXZlcnNlIHByb3h5CmlzIHRy dXN0d29ydGh5LCBub3IgZG9lcyBpdCBoYXZlIGxvYWQgYmFsYW5jaW5nIGZlYXR1cmVzLiBJZiB5 b3UKd2FudGVkIHRvIHJ1biBBcGFjaGUrbW9kX2Rhdl9zdm4gYmVoaW5kIGl0LCB5b3UnZCBwcm9i YWJseSBiZSBzY3Jld2VkLgpJJ2Qgc3RpbGwgcmVjb21tZW5kIHVzaW5nIGEgcmV2ZXJzZSBwcm94 eSBsaWtlIG5naW54LiBZb3UnbGwgcHJvYmFibHkKbmVlZCB0aGUgbG9hZCBiYWxhbmNpbmcgY2Fw YWJpbGl0aWVzIGV2ZW50dWFsbHkuCgotYm9iCg== |
From: <ca...@gm...> - 2006-11-16 20:09:22
|
On 11/16/06, Bob Ippolito <bo...@re...> wrote: > Well, it doesn't sound like the Yaws implementation of reverse proxy > is trustworthy, nor does it have load balancing features. How do you mean? --=20 Cheers, L=E1szl=F3 |
From: Bob I. <bo...@re...> - 2006-11-16 20:24:35
|
T24gMTEvMTYvMDYsIENvdW50IEzDoXN6bMOzIGRlIEFsbcOhc3kgPGNhbG1hc3lAZ21haWwuY29t PiB3cm90ZToKPiBPbiAxMS8xNi8wNiwgQm9iIElwcG9saXRvIDxib2JAcmVkaXZpLmNvbT4gd3Jv dGU6Cj4gPiBXZWxsLCBpdCBkb2Vzbid0IHNvdW5kIGxpa2UgdGhlIFlhd3MgaW1wbGVtZW50YXRp b24gb2YgcmV2ZXJzZSBwcm94eQo+ID4gaXMgdHJ1c3R3b3J0aHksIG5vciBkb2VzIGl0IGhhdmUg bG9hZCBiYWxhbmNpbmcgZmVhdHVyZXMuCj4KPiBIb3cgZG8geW91IG1lYW4/CgpUaGUgbGFzdCBj aGFuZ2Vsb2cgbm90ZSBvbiByZXZlcnNlIHByb3h5IHN1cHBvcnQgZm9yIFlhd3MgaXM6CiJNYW55 IHJldmVyc2UgcHJveHkgYnVncyBmaXhlZC4gTWF5YmUgdGhlIHJldmVyc2UgcHJveHkgaXMgYWN0 dWFsbHkKd29ya2luZyBub3cuIEl0IHdhcyBuZXZlciBlc3BlY2lhbGx5IGdvb2QuIFRyeSBpdC4g KG1pa2wpIgoKSSB3b3VsZG4ndCByZWFsbHkgYm90aGVyIHdpdGggdGhhdCB3aGVuIEkga25vdyB0 aGVyZSBhcmUgb3RoZXIKc29sdXRpb25zIHRoYXQgd29yayBleHRyZW1lbHkgd2VsbC4KCkxvYWQg YmFsYW5jaW5nIGlzIGJhc2ljYWxseSByZXZlcnNlIHByb3h5IGJ1dCB5b3UgZGVjaWRlIHRvIHNl bmQKdHJhZmZpYyB0byBhIHBvb2wgb2Ygc2VydmVycyBiYXNlZCBvbiBzb21lIG1ldHJpYyBpbnN0 ZWFkIG9mIGp1c3Qgb25lCnNlcnZlci4KCi1ib2IK |
From: <ca...@gm...> - 2006-11-16 20:34:10
|
On 11/16/06, Bob Ippolito <bo...@re...> wrote: > The last changelog note on reverse proxy support for Yaws is: > "Many reverse proxy bugs fixed. Maybe the reverse proxy is actually > working now. It was never especially good. Try it. (mikl)" > > I wouldn't really bother with that when I know there are other > solutions that work extremely well. I don't really want to do reverse proxy though. I just want to set ``use_fdsrv =3D true'' in my yaws.conf and have it work for both port 80 as well as 443. Until the SSL support is there I will use nginx to handle port 443. --=20 Cheers, L=E1szl=F3 |
From: Claes W. <kl...@ta...> - 2006-11-16 22:13:51
|
Count L=E1szl=F3 de Alm=E1sy wrote: > I don't really want to do reverse proxy though. I just want to set > ``use_fdsrv =3D true'' in my yaws.conf and have it work for both port 8= 0 > as well as 443. Until the SSL support is there I will use nginx to > handle port 443. >=20 Good/right decision /klacke |
From: <ca...@gm...> - 2006-11-16 00:07:22
|
On 11/15/06, Bruce Fitzsimons <br...@fi...> wrote: > Putting a proxy such as http://www.apsis.ch/pound/ in front may be what > you want. stunnel works, but requires ongoing maintenance per server. I hadn't heard of pound before, but will look into it, thanks. Looks like there's a Debian package for it too. > The other option is to put apache on the front, and proxy the dynamic > bits to yaws, which is what I (and many others) do -- there is so much > built on top of apache that it is hard to justify my effort of getting > standard php apps (for example) to work properly/quickly/reliably > against yaws -- you can, but wouldn't you rather be writing your > application in erlang? Part of my motivation is to completely get rid of Apache. It's large and bloated, and even after using it for a decade, I barely understand the complex configuration just enough to get it working. If you've been following my messages on this list as of late, you'll see that I have been trying to get standard php/cgi apps to work properly/quickly/reliably under yaws by writing appmods and the like. I've been successful at this. So far I have Wordpress (php), Mailman, and MoinMoin all working perfectly under yaws. I feel confident that more or less any app can be made to work under yaws with a bit of erlang coding. Or at least, those that I use on my sites. > but it took me a while to recognise that I didn't > want to be a trailblazer getting tested, stable, webapps (gallery for > example) to work under yaws. Haha, I guess that's exactly what I've being doing, probably to the annoyance of Klacke and others on here. :P --=20 Cheers, L=E1szl=F3 (Yaws trailblazer) |