简体繁体 English

在Production中以最小权限运行sails.js.

[英]Run sails.js with least privileges in Production

原文 2014-11-17 10:41:53 2 3 javascript/ node.js/ ubuntu/ gruntjs/ sails.js

I'm using Sails.js 0.10.5 on Node 0.10.33 on Ubuntu Trusty. 我在Ubuntu Trusty上的节点0.10.33上使用Sails.js 0.10.5。 I'd like to execute the node process as a non-root user with the least possible privileges in the production environment. 我想以非root用户身份执行节点进程，在生产环境中具有尽可能少的权限。 I'm comfortable with the various options for binding to ports below 1024 but I'm more concerned with directory permissions. 我很满意绑定到1024以下端口的各种选项，但我更关心目录权限。

Ideally, I'd prefer the node process only have write access to its log files and nothing else. 理想情况下，我更喜欢节点进程只对其日志文件具有写访问权，而不是其他任何内容。 It should only have read access to the directory containing app.js and below. 它应该只对包含app.js及以下的目录具有读访问权限。

At the moment I have needed to grant write access to the ./.tmp directory and also to the ./views directory due to the grunt tasks that run at startup. 目前，由于在启动时运行的grunt任务，我需要授予./.tmp目录以及./views目录的写访问权限。 I'd rather perform the grunt tasks at deploy time as a different user instead of at run-time. 我宁愿在部署时以不同的用户而不是在运行时执行grunt任务。 The sails www command appeared promising but I couldn't get the desired outcome. sails www命令似乎很有希望，但我无法获得理想的结果。

Can someone please point me in the right direction for running Sails.js with zero write access to its assets, views, etc? 有人可以指出我正确的方向运行Sails.js，对其资产，视图等没有写入权限吗？

3 个解决方案

Use sails www to build static assets 使用sails www构建静态资产

chmod -R 440 all files and directories, so that your user and the webserver (group) can access the files. chmod -R 440所有文件和目录，以便您的用户和Web服务器（组）可以访问这些文件。

Use nginx/apache to host a webserver on port 80/443 and proxy requests to sails (running on its own port or over a unix socket). 使用nginx / apache在端口80/443上托管Web服务器并代理对sails的请求（在自己的端口或unix套接字上运行）。

Run sails using PM2 to keep it running and have it manage/collect logs. 使用PM2运行sails以使其保持运行并让它管理/收集日志。

Sails will lift, but will be unable to write its .tmp directory, which shouldn't even be necessary since all your static files will be routed to the www directory through nginx/apache. Sails会解除，但是无法写入.tmp目录，这甚至不需要，因为所有静态文件都将通过nginx / apache路由到www目录。

The simplest solution to me seems to be to separate the grunt tasks that need the elevated privileges out into a separate file that you can call with a different user on deploy. 对我来说最简单的解决方案似乎是将需要提升权限的grunt任务分离到一个单独的文件中，您可以在部署时与其他用户一起调用。 Then sails won't need to run anything and can be read only. 然后帆不需要运行任何东西，只能读取。

EDITED: I use PM2 with apache as proxy ( with mod WS ). 编辑：我使用PM2和apache作为代理（使用mod WS）。

You can use one proxy like apache to route from port 80 to others internal server ports based on host. 您可以使用一个代理（如apache）从端口80路由到基于主机的其他内部服务器端口。

With this way you can run multiple apps in same server. 通过这种方式，您可以在同一台服务器上运行多个应用

It has a lot of usefull functions like see the logs how varius apps in terminal, restart and log crashed apps, run app as user, app status ... etc . 它有很多有用的功能，比如查看日志如何在终端中使用varius应用程序，重启和登录崩溃的应用程序，以用户身份运行应用程序，应用程序状态等等。

Pm2 link: https://github.com/Unitech/pm2 Pm2链接： https ： //github.com/Unitech/pm2

PM2 configs: https://github.com/Unitech/PM2/blob/development/ADVANCED_README.md#options PM2配置： https ： //github.com/Unitech/PM2/blob/development/ADVANCED_README.md#options