How to use IPTables to forward HTTP default port to nodeBB
You may wish for several reasons to only have Node.js to serve nodeBB, such as
- Saving the RAM consumption by running one less service as you won't use Nginx or Apache
- Having all the functionalities by using websocket, as Nginx < 1.2 does not support it
But you also can't bind Node.js to port 80 without root privileges, and for security reasons, it's recommended not to.
If you don't plan to use multiple virtual hosts, then I have a solution for you.
Port forwarding using iptables
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -i eth0 -p tcp --dport 4567 -j ACCEPT sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 4567
This redirects port 80 of eth0 to port 4567.
The advantage of doing this are the following
iptables port forwarding is significantly lighter weight than proxifying using nginx or anything else. Iptables port forwarding merely changes the destination header in the packets and delivers them, meaning it's a layer 3 fix, as well as happening in kernel space.
Using nginx as a proxy is a layer 7 fix, meaning it's much more complex, as well as happening in user space.
- More secure as you now have 0 program with root privilege handling HTTP traffic
- Better performance, Node.js event handling is faster than Nginx one, and I'm not even talking about Node.js vs Nginx reverse proxifying Node.js...
The first drawback I noticed while doing this is that nodeBB is for now not able to handle SSL/TLS on its own, or at least be configured with an SSL certificate. I could be wrong here, but I found nothing relevant on this subject.
To remove the iptables packet forwarding, say to install Nginx to handle SSL/TLS (HTTPS) and SPDY HTTP/2
sudo iptables -t filter -D INPUT 1 sudo iptables -t filter -D INPUT 1 sudo iptables -t nat -D PREROUTING 1
I'm posting this tutorial as I found nothing very clear on how to do it,
hope it helps.
But to be honest, it's less RAM consumptions against slower static files serving. Is it really better?
Nginx other than SSL also does gzip, load balancing, caching and a lot of other fancy stuff.
I could not imagine my life without nginx at the moment :P
Nice tutorial! Good to know iptables can be used to forward ports like this.
I do believe NodeBB can be configured to terminate SSL certificates, but it hasn't been done in awhile because we much prefer nginx