# lighttpd, port 80, and security

## m0ntecarloss

Hi there, I am trying to configure lighttpd on my gentoo box, and have a couple configuration questions.

Does it have to run as root to bind to port 80?  Or what is the best way to run it on port 80 without root priveledges...

As the user lighttpd it could not open the log files in my /var/log directory because /var/log is only accessable by root.  I set the execute bit on /var/log directory for other users and it works now but I don't know if i like having just anyone enter that folder...

I am not running any firewall on this particular computer, it is connected to one though.

THANKS!

----------

## m0ntecarloss

Do I need to use ipchains or iptables to forward incoming connections on port 80 to another port, say 8080?  I really am not interested in undertaking the learning curve of a configuring a firewall on this pc, especially since I already have another firewall, on another pc to protect this pc.  Man this stuff is complicated...

----------

## Andersson

I think you can just set it to port 80 in the config. It is started as root, but the default config drops to another user (lighttpd). Check what user it is by ps aux | grep http.

Also, you can change the location of the logs in the config. Put them somewhere else if you want, /var/logwww/ or something.

```
server.errorlog             = "/var/wwwlog/error.log"

accesslog.filename          = "/var/wwwlog/access.log"
```

----------

## m0ntecarloss

Thanks man, if I set the port to 80 I get an error message saying port 80 is already in use....

There should not be any other software on this box using that port....

----------

## c4

I am running lighttpd on my server, perhaps I can help you out with the basics.

Just as Andersson said, after starting the priviledges are dropped to whomever you have in your lighttpd configuration, the default user and group are lighttpd.

```
server.username      = "lighttpd"

server.groupname     = "lighttpd"
```

Same thing for the servers listenings ports, the default is aready set to port 80, so I don't think you need to state this unless you want to change the port to something else.

```
# bind to port (defaults to 80)

# server.port          = 81

```

I have just put a comment there for the port settings as it already defaults to port 80 anyway.

For the logs, you could also simply give the webservs user permission to read/write to the directory where the logfiles are. So if your logs are stored in /var/log/lighttpd/ , set the ownership with 

```
chown -R lighttpd:lighttpd /var/log/lighttpd
```

  and your all set.

For more information about lighttpd and how to use it with fastcgi for php5, ssl-support etc here's a install guide that might be helpful.

----------

## m0ntecarloss

Thanks again guys, do you know of an easy way to determine what is bound to port 80 already?

When I try to start lighttpd this is what I get:

2005-12-11 17:43:57: (network.c.235) can't bind to port 80 Address already in use

I thought it was some root priveledges issue but I understand what you guys are saying about switching to user lighttpd.  I did try port 81 and that works fine so something does appear to be using port 80....  I tried to access it from my browser for the hell of it and i get connection refused.

Sry to keep buggin ya, so much to learn yet about linux hehe  :Smile: 

----------

## m0ntecarloss

Sweet guide btw, thanks!

----------

## c4

try netstat, and see what it finds:

```
netstat --numeric-ports -p -l | grep 80
```

 That will show you the name and process-id of anything using a port that matches port *80*

----------

## m0ntecarloss

Thanks, I ran that and it found nothing listed for port 80.  I took off grep and it showed my ftp server and stuff so I had it in properly.

Is this some kind of security thing that I need to configure gentoo to allow me to use port 80?

----------

## c4

 *m0ntecarloss wrote:*   

> Sweet guide btw, thanks!

 Sure thing, hope it makes it easier to get your server started!

 *m0ntecarloss wrote:*   

> Is this some kind of security thing that I need to configure gentoo to allow me to use port 80?

 No, you said earlier that you were not using iptables, so the connection should not be blocked by any firewall (on the server). Checking my lighttpd confguration, I can not see any settings regarding the ports besides what I wrote earlier. That is port 80 is active by default, and that you may add additional ports with additional server sockets for listening to multiple ports. Also check the main lighttpd documentation for some tips. 

I have neither specified for my server. I have only specified listening ip and port for https with ssl.

Besides that, I'm not sure what else to recommend as I don't have any additional settings. Care to share your server config so we can try to find possible errors?

----------

## m0ntecarloss

Oh man, ok so as soon as u said post your configuration file I looked at it and discovered something incorrect right away (something I added in earlier trying to get it to work.)  Hehe, I commented it out and it works great now.  THANKS!

----------

## c4

great! glad you got it solved   :Wink: 

----------

## Andersson

When I had trouble configuring fastcgi earlier (the reason I happened to find this thread actually), lighttpd would crash every time I accessed a .php page. I couldn't restart it using the same port, I got the address already in use error. I had to pick a new port every time.

How did you do to enable port 80 again? I have soon used up all my ports and I don't feel like rebooting.  :Smile: 

----------

## c4

I am using the default configuration for fastcgi, for lighttpd 1.4.7 although I am running the latest version 1.4.8. (hasn't made it to portage yet) 

less /etc/lighttpd/mod_fastcgi.conf

```
server.modules += ("mod_fastcgi")

fastcgi.server = ( ".php" =>

                            ( "localhost" =>

                                    (

                                            "host"              =>              "127.0.0.1",

                                            "port"              =>              1026,

                                            "bin-path"  =>              "/usr/bin/php-cgi"

                                    )

                            )

                    )

```

I am using fastcgi as per the default Gentoo configuration, that is it's called with an include statement from lighttpds main config file.

```
# includes

include "mime-types.conf"

include "mod_cgi.conf"

include "mod_fastcgi.conf
```

As for port 80, I have not even specified it in my configuration, as lighttpd listens to it by default unless it's changed to another port. 

You mentioned that the server was crashing when accessing a .php page. Have you checked that the server can handle static html content? I was thinking that instead of lighttpd, perhaps you might have an error with php. As I recall it, building it with the USE-flag "cgi" was necessary for things to work. Also I am using dev-lang/php-5.0.5-r4. There might be differences with the older php-packages dev-php/php along with mod_php and php-cgi.

I can't really say anything about the older php4-packages. When I switched from Apache to lighttpd I started using php5 from the start.

----------

## Andersson

 *c4 wrote:*   

> You mentioned that the server was crashing when accessing a .php page. Have you checked that the server can handle static html content? I was thinking that instead of lighttpd, perhaps you might have an error with php.

 

I didn't mean to ask for help with fastcgi - I solved that problem by using standard cgi instead. It's fast enough for me, my web server has about ten visits per day.  :Smile: 

I was just curious how to get the lost ports back without rebooting.

----------

## c4

 *Andersson wrote:*   

> I didn't mean to ask for help with fastcgi - I solved that problem by using standard cgi instead. It's fast enough for me, my web server has about ten visits per day. 
> 
> I was just curious how to get the lost ports back without rebooting.

 

I've been giving this some thoughts while watching a movie tonight.. and I have checked two different servers running lighttpd. The locking of ports is indeed strange.. I can't get this error how bad I try   :Wink: 

I assume you have tried the usual, that upon error 

1. you make sure that no lighttpd processes are running

2. make sure that the webservers pidfile is removed, manually put service in stopped state

3. check logs for possible errors, and perhaps review and change something in the config

4. try to start it again

if things still refuse to work, have you tried removing all files and things owned by the webserver in /tmp ? There might be sessions data or something there that confuses lighttpd to believe that the port is still used.

Also, I do not specify anything for port80.. have you tried running lighty without such a port-binding?

----------

## Andersson

You're right, the processes were still running. All I did was /etc/init.d/lighttpd stop and /etc/init.d/lighttpd zap.  :Embarassed: 

Thanks for the help. After killing all the lighttpd processes all the ports are back.  :Smile: 

----------

