Any downside of running Koha's z39.50 service on port 210?
Hi all, Most typical Koha z39.50 setups seem to run it on non-privileged port 9999. Now 210 tcp/udp is earmarked for z3950. Question: with a package based install is there any possible downside (especially security wise) to run on port 210? Anything that I should particularly look out for? thanks in anticipation -idg -- Indranil Das Gupta L2C2 Technologies Phone : +91-98300-20971 IRC : indradg on irc://irc.freenode.net Twitter : indradg -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=- Please exchange editable Office documents only in ODF Format. No other format is acceptable. Support Open Standards. For a free editor supporting ODF, please visit LibreOffice - http://www.documentfoundation.org
Hi, On Thu, Apr 14, 2016 at 5:55 PM, Indranil Das Gupta <indradg@gmail.com> wrote:
Now 210 tcp/udp is earmarked for z3950.
Question: with a package based install is there any possible downside (especially security wise) to run on port 210? Anything that I should particularly look out for?
Since by default, only root can bind to ports less than 1024, the stock koha-start-zebra won't let you do it, as it changes user to the Koha instance user before starting zebrasrv. However, there are several ways around this: - use iptables to forward port 210 to zebrasrv - run metaproxy or yazproxy to listen on port 210 and pass queries on to zebrasrv; if you expect that the Z39.50 target will be heavily used, this approach can also save system resources, as metaproxy can cache query results. - use capabilities and grant zebrasrv an exception so that it can bind on a privileged port - just use a non-privileged port; I don't know of any Z39.50 clients that don't let the user specify a non-default port. Regards, Galen -- Galen Charlton Infrastructure and Added Services Manager Equinox Software, Inc. / Open Your Library email: gmc@esilibrary.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
Hi, On Apr 15, 2016 7:44 PM, "Galen Charlton" <gmc@esilibrary.com> wrote:
Hi,
On Thu, Apr 14, 2016 at 5:55 PM, Indranil Das Gupta <indradg@gmail.com>
wrote: <snipped>
- run metaproxy or yazproxy to listen on port 210 and pass queries on to zebrasrv; if you expect that the Z39.50 target will be heavily used, this approach can also save system resources, as metaproxy can cache query results.
Thanks! This is good tip!
- use capabilities and grant zebrasrv an exception so that it can bind on a privileged port
Setcap-ing /usr/bin/zebrasrv-2.0 is what I had done before posting. But this being the first time pushing it on anything other than 9999 I wanted to know if there's any gotchas that I should keep in mind :-)
Regards,
Galen
Thanks a lot! Indranil
participants (2)
-
Galen Charlton -
Indranil Das Gupta