Accessing Privileged Ports from HTTP/2 Server

The secret incantation for granting network capabilities

Joe Honton
Apr 25 · 2 min read

In this episode Ivana learns how to grant Node.js network capabilities so that she can use port 443 for her HTTP/2 Server. Previously on Tangled Web Services, Devin learned how to set up LetsEncrypt certificates that never expire.

Ivana just put the finishing touches on the custom website she developed for the art supply store Rock Paper Scissors. She was ready to put it into production.

Over the past couple of months everything had been developed and tested on her staging server which was configured to listen on port 8443. Browser access to the staging area was through the URL:

https://rock-paper-scissor.com:8443

Ivana needed to make the server available to the general public on port 443 instead of port 8443. But she knew that ports 0 through 1023 are well-known system ports and that access to them was forbidden by unprivileged software.

The HTTP/2 Server that she was deploying is a Node.js server. Any Node.js server started as a non-root user, runs as a userland process, and is not allowed to access system ports. This is true whether it is executing from a terminal window in the foreground, or with a background daemon using PM2, or directly under the control of systemd.

There was no way she would entertain the possibility of starting the server as root. There were just too many inherent risks.

Ivana researched what it would take to allow Node.js to directly listen on port 443 as user rwserve. She learned that the Linux command to override the restriction is the set capabilities command setcap. And the magic incantation to give Node.js network privileges is:

setcap 'cap_net_bind_service=+ep' /usr/bin/node

where cap_net_bind_service is the capability to bind a socket to privileged ports; the value +ep says to add the capabilities "effective" and "permitted"; and the target is the Node.js executable, located at /usr/bin/node.

This did the trick. Now she could access Rock Paper Scissors’ website at https://rock-paper-scissors.com using the well-known port 443.


Ivana was feeling on top of the world. She decided it was time to really get a handle on Linux, but with so many distros it was hard to figure out where to start. Ubuntu, Fedora, Gentoo, Arch?

· · · EPISODE 3 · · · · · · · TANGLED WEB SERVICES · · · · · · · EPISODE 5 · · ·


Joe Honton

Written by

Using distraction-free tools for better reading, writing and publishing, and loving it!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade