I am using webfsd, a lightweight HTTP daemon, to serve static content to as follows:
sudo webfsd -R ~/Documents/www/ -p 80 -f index.htmlBut I have to run this from the command line every time. I assume I can't add sudo commands to Startup Programs. So, how can I make it run without having to invoke it every time?
(I would prefer it to start at boot up, and be accessible without me having to log in, even if this means I need to move the location of the files. But starting when I log in is an acceptable second place prize. If it makes a difference, I would like to experiment later with HTTPS.)
1 Answer
My first idea was a simple upstart script. /etc/init/webfs.conf:
description "WebFS server"
start on (local-filesystems and net-device-up)
respawn
exec webfsd -F -p 80 -u d3vid -g d3vid /home/d3vid/Documents/www/ -f index.htmlThe -u and -g arguments are really important. These drop root privileges after binding the port... Which means there's not a net-accessible process running as root that can be exploited.
The other idea is running it on a high port (>1024) as you, auto-starting that however you like... And then either using a real server to reverse proxy (nginx is a common and lightweight tool here) from port 80... Or just use an iptables redirect.
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 10010 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 10010The advantage there is webfs is never running as root... But then you're just left with needing to run the iptable commands as root every boot. Swings and roundabouts.
I think on balance, if you're not exposing the server to the internet directly, the first route is probably safe enough.
But if you're going any further, dump WebFS and just use nginx...
- It does everything WebFS does (and a whole lot more)
- It's simple to use
- It's efficient beyond reason
- Its SSL has decent documentation
- Most importantly, lots of people have a vested interest in nginx remaining secure, including Canonical, so you'll get updates for it fast (critical when dealing with web-facing things)
To give you some sort of idea what efficient means, I have a webserver hosting around 20 domains, a few of them do some pretty serious traffic. nginx's four worker processes account for 15MB of RAM combined and no observable CPU time. It's insane.
1