1

Just like the title says, I would like to understand:

  • what are the implications of running a custom app (like node or flask) on port 80/443.
  • Is running a reverse proxy like Nginx mandatory from a security point of view?
  • What if I run Nginx as root user and we discover a security vulnerability today? Wouldn't that make the custom app and Nginx both great security risks?
  • What is the most secure (and standard) way to handle traffic on port 80 or 443, if its not Nginx?
deppfx
  • 141
  • 5
  • Related: [An application started by the root user has root privileges?](https://security.stackexchange.com/questions/192039/an-application-started-by-the-root-user-has-root-privileges). – Steffen Ullrich Aug 03 '19 at 04:09

1 Answers1

7

Here are a few details that might help clarify the situation:

  1. Ports less than 1024 are (in most OSes) privileged ports that require root to run anything on them. This is intended as a security feature to make it more difficult for an attacker to host services on important ports on a compromised server. As a result, root is required to run anything on port 80 or 443.
  2. While Nginx and Apache will run on port 80 or 443, as little as possible is done as root. Both immediately spawn a non-root subprocess to work from. The master root process is only used to bind to the privileged ports. Nginx also doesn't run any "apps" itself, but instead communicates with the app running as a completely separate process - hopefully also a low-privilege one.
  3. You don't want to run your application as root because then if someone finds a RCE vulnerability in it, your system will be very compromised. Of course any RCE vulnerability is bad, but running your application as a low-privilege user is just part of defense in depth, and generally a good idea.

So to spell it out, you don't want to run a custom app directly on port 80/443 because doing so requires you to be root, and you don't want to do that because it's just inviting more trouble in the event of a compromise. However, this is no different than anyone else. While Apache and Nginx will run as root, any application hosted through them typically does not.

This also means that a RCE vulnerability in Apache or Nginx would be very valuable to attackers (if it happens to affect the portion of the application running as root) and, while they do happen, I would say that they are substantially less common than RCE vulnerabilities in your typical web application. That's why it is better to let Apache/Nginx listen on 80/443 instead of your app.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • 3
    *"For Apache, it will spawn a sub process to run the users application as a low privilege user, while Nginx typically won't do anything at all."* - from my understanding both Apache and Nginx (and others) will drop the privileges early, i.e. shortly after binding to the privileged port. They don't drop the privileges just for the applications - even static files are served with low privileges. – Steffen Ullrich Aug 03 '19 at 04:12
  • @SteffenUllrich That's true, although strictly speaking there will still be a single root parent process which merely manages its children and which doesn't process untrusted data. – forest Aug 03 '19 at 07:41
  • @SteffenUllrich thanks! I didn't actually know that part. – Conor Mancone Aug 03 '19 at 10:36