如何将Systemd的Twisted https应用程序(.tac)部署为非特权用户?
[英]How deploy Twistd https application (.tac) with systemd as unprivileged user?
问题描述
My https(port 443) twistd application (.tac) works fine deployed as a systemd service but the unit file requires user:root to listen/bind ports below 1000. The problem is that twistd runs also as user:root. 
我的https(端口443)扭曲的应用程序(.tac)可以很好地部署为systemd服务,但是该单元文件需要user:root来侦听/绑定低于1000的端口。问题是,twisted也以user:root身份运行。
How to listen/bind port 443 then hand-off to twistd .tac as an unprivileged user? 如何侦听/绑定端口443,然后以非特权用户身份切换到Twisted .tac?
I'd like to follow “separation of privilege” best practice and avoid workarounds like setcap 'cap_net_bind_service=+ep' or port-forwarding as discussed in detail here . 我想遵循最佳实践“特权的分离”,并避免变通方法等setcap“CAP_NET_BIND_SERVICE = + EP”或端口转发如在详细讨论这里 。
I tried systemd using Socket Activation with a .service unit file. 我尝试将Socket Activation与.service单元文件一起使用systemd。 My .socket works to listen/bind on privileged port 443. And the .service file starts the twistd .tac application as non-privileged user, but the socket hand-off doesn't work and twistd exits with “permission denied” error. 我的.socket可以在特权端口443上侦听/绑定。.service文件以非特权用户身份启动了扭曲的.tac应用程序,但是套接字移交不起作用,并且扭曲出口退出并显示“ permission否认”错误。 After searching I found "Known issue: Twisted does not support listening for SSL connections on sockets inherited from systemd" last line of this Twisted doc . 搜索后,我发现“已知问题:扭不支持侦听来自systemd继承了插座SSL连接”这个的最后一行扭曲的文档 。 I use Twisted 18.9.0 ubuntu 18.04. 我使用Twisted 18.9.0 ubuntu 18.04。
Partial success with the following .service and .socket files: 以下.service和.socket文件部分成功:
My Systemd service unit file: 我的系统服务单元文件:
[Unit]
Description=twistd https application
#Requires=testtls.socket
[Service]
ExecStart=/usr/bin/twistd --nodaemon --pidfile= --python=/ws/twistdhttps.tac
WorkingDirectory=/srv/web/https
#User=nobody #twistd .tac permission denied
#Group=nogroup #twistd .tac permission denied
User=root #twistd .tac works but no separation of privileges
Group=root #twistd .tac works but no separation of privileges
Restart=always
#NonBlocking=true
[Install]
WantedBy=multi-user.target
Systemd socket file testtls.socket: Systemd套接字文件testtls.socket:
[Socket]
ListenStream=0.0.0.0:443
[Install]
WantedBy=sockets.target
1 个解决方案
解决方案1
0 已采纳 2019-03-27 20:17:14
I worked out a reverse proxy type solution with two systemd files, which I realize is an in-elegant way compared to handing off a socket from one systemd file. 我设计了一个具有两个systemd文件的反向代理类型解决方案,与从一个systemd文件中移出套接字相比,我意识到这是一种优雅的方法。 One of my .service files has a root user and the other a non-privileged user. 我的一个.service文件中有一个root用户,另一个是非特权用户。 The redirect .service file used twisted.web.util.redirect (latest document can be found here ) to redirect 443 to 8443. The other .service file listens on port 8443 and most importantly as an unprivileged user. 重定向.service文件使用twisted.web.util.redirect(可在此处找到最新文档)将443重定向到8443。另一个.service文件在端口8443上进行侦听,最重要的是,作为非特权用户侦听。
Tested and works fine, however, some with this same problem may wonder how this is different from port-forwarding because reverse proxy is just another type of workaround compared to a .socket tls handoff. 经过测试并可以正常工作,但是,有些存在相同问题的人可能想知道这与端口转发有何不同,因为与.socket tls切换相比,反向代理只是另一种解决方法。
Port-forwarding using iptables would work and as it is handled by the kernel it seems like it might be faster than the additional load of running a reverse proxy server. 使用iptables进行端口转发将起作用,并且由内核处理,这似乎比运行反向代理服务器的额外负担要快。 For my use case, I decided on reverse proxy as it adds an additional layer of security and it's also easier to keep links intact on the proxy as outlined here . 对于我的使用情况下,我在反向代理决定,因为它增加了一个额外的安全层,它也更容易保持联系上完好无损的代理所概述这里 。
For the time being I'm accepting this as the best answer as it will help anyone else who encounters the same problem, but I hope someone posts a better, more elegant solution. 目前,我将其作为最佳答案,因为它可以帮助遇到相同问题的其他任何人,但是我希望有人发布更好,更优雅的解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.