Forum OpenACS Q&A: 5.0: Installation: missing clue (running on port 80)

see the AOLserver documentation. Or the AOLserver usage information:

Usage: /usr/local/aolserver/bin/nsd [-h|V] [-i|f] [-u <user>] [-g <group>] [-r <path>] [-b <address:port>|-B <file>] [-s <server>] \
-t <file>

  -h  help (this message)
  -V  version and release information
  -i  inittab mode
  -f  foreground mode
  -d  debugger-friendly mode (ignore SIGINT)
  -u  run as <user>
  -g  run as <group>
  -r  chroot to <path>
  -b  bind <address:port>
  -B  bind address:port list from <file>
  -s  use server named <server> in config file
  -t  read config from <file> (REQUIRED)

You need to provide -b <address:port>. Or if you are planning on using both HTTP and HTTPS -B <file> where <file> contains:

<address:http_port>
<address:https_port>

/Bart

But... there is a different problem now. When registering, users get a notification email stating they have registered in www.mysite.com:8000 instead of www.mysite.com. It did run on port 8000 for a short time, but I changed it. In config.tcl I have port 80 defined. I cannot find - within ACS - where to change this. Any help appreciated!

But now: when using svc -u /service/service0 the site comes up, but when it restarts (e.g. after installing software) nsd is running, but not listening. Error:

[15/Feb/2004:20:43:58][22135.16384][-main-] Error: nssock: failed to listen on 212.120.32.124:80: permission denied

(I changed the IP address in this example).

I don't understand why it cannot listen. I have this problem when using svc as root or as a normal user. Maybe it is not possible to use daemontools with aolserver on port 80??? Why is it not in the docs? It is a nightmare. I suppose in the end most sites will use port 80, so this is not very strange? I think I should use sudo.

localhost:~# more /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
service0 ALL= NOPASSWD: ALL

Probably, there is a better way, e.g. only allowing certain commands, but I am not sure how to do it. I have not the time to read endless manuals before I can start aolserver automagically...

"If you want to use port 80, there are complications. First, AOLserver must be root to use system ports such as 80, but refuses to run as root for security reasons. Thus you must start as root and specify a non-root user ID and Group ID which AOLserver will switch to after claiming the port. To do so, find the UID and GID of the service0 user via grep service0  /etc/passwd and then put those numbers into the command line via -u 501 -g 502. Second, if you are root then killall will affect all OpenACS services on the machine, so if there's more than one you'll have to do ps -auxw | grep nsd and selectively kill by job number."

[15/Feb/2004:20:48:10][6358.16384][-main-] Notice: nsmain: AOLserver/4.0 running
[15/Feb/2004:20:48:10][6358.16384][-main-] Notice: nsmain: security info: uid=1002, euid=1002, gid=103, egid=103
[15/Feb/2004:20:48:10][6358.32771][-sched-] Notice: sched: starting
[15/Feb/2004:20:48:10][6358.16384][-main-] Error: nssock: failed to listen on 67.119.161.85:80: Permission denied
[15/Feb/2004:20:48:10][6358.131081][-driver-] Notice: starting
[15/Feb/2004:20:48:10][6358.131081][-driver-] Notice: driver: accepting connections

In case its helpful for some-one else, here are the pieces:

1. The daemontools "run" or the command line nsd -t list must include either a
   • -b {Ipaddress:port} or a
   • -B {filename}.
   
   If you modify the run file, all comments between the config.tcl and the -b have to be removed, or it will not load. [thanks Hans]
   The -B is used if you have multiple {Ipaddress:port} pairs. If you want to use http and https, you need to include each as an {Ipaddress:port} pair. [thanks Bart]
2. For an ssl connection, Aolserver 4 must be used with Scottg's latest nsopenssl (I'm using version 3beta12). This requires a "with threads" version of OpenSSL, see details at scottg.net, or in the nsopenssl README.
3. For a single ip address, the following contribution will implement it. [thanks Matthew G]

#---------------------------------------------------------------------
#
# OpenSSL, nsopenssl and aolserver 4
#
#---------------------------------------------------------------------
#
# SSL contexts. Define the ssl contexts for this server.

ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param ssl_incoming_requests_context   "SSL context used for regular user access to the website"
ns_param ssl_outgoing_context            "SSL context used for outgoing script socket connections"

ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server               ssl_incoming_requests_context
ns_param client               ssl_outgoing_context

ns_section "ns/server/${server}/module/nsopenssl/sslcontext/ssl_incoming_requests_context"
ns_param Role                  server
ns_param ModuleDir             ${serverroot}/etc/certs
ns_param CertFile              certfile.pem
ns_param KeyFile               keyfile.pem
#ns_param CADir                 ca-client/dir
#ns_param CAFile                ca-client/ca-client.crt
ns_param Protocols             "SSLv3, TLSv1"
ns_param CipherSuite           "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify            false
ns_param PeerVerifyDepth       3
ns_param Trace                 true

# SSL drivers. Each driver defines a port and a named SSL context to associate with it.

ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param ssl_incoming_requests_driver "Driver for regular user access to the website"

ns_section "ns/server/${server}/module/nsopenssl/ssldriver/ssl_incoming_requests_driver"
ns_param sslcontext            ssl_incoming_requests_context
ns_param port                  $httpsport
ns_param hostname              $hostname
ns_param address               $address