Why though? I see intermittent availability, battery drain and security being issues and I don’t see any up-sides.
also why would every person need a webpage? i can at least get social media where you can see other peoples pages or posts or whatever and comment on it or chat through the service. but that wont work if we all have different webpages.
One man’s “battery drain” is another man’s “built-in UPS.”
And it would be complicated to implement when you’re switching networks all the time.
Assuming you’re hosting on a cellular network, but actually to run a small site on a local network connected by wifi it would be an option. Not necessarily the best option, but doable and yeah the battery life could be useful for intermittent power situations.
The reason you can’t host as port 80 on unmodified Android isn’t because “Google won’t let you.” Android is open source. You can do what you want with it. Android runs on Linux, and ports 0-1023 are privileged ports that can only be used as root.
Unmodified Android does not allow userland apps to run as root for very good reasons, so you don’t have access to these ports. That’s all there is to it. If you attempted to do the same thing on Ubuntu, you would also not be able to use port 80 without root.
However, this is a naive approach to hosting a website. Production web stacks, when hosted on a machine, typically use a least-privileged model where not only ports are banned, but most file access is, too.
Most dynamic web stacks won’t host on port 80 directly. Most will serve either a socket connection or host multiple ports on threads, i.e. ports 3000 to 3007. These connections would then be proxied via something like Nginx to serve as a load balancer, and Nginx can also manage SSL for you, too.
If Nginx is started as root, it can host on port 80. If not, serve on port 8080 and use NAT to redirect it to port 80 with your firewall. You are using a firewall for publicly-hosted content, right?
It’s also not practical. Why would I want outside people connecting to my phone constantly? Security risk? Battery drain? Inconsistent IP Address? Just host it somewhere designed for hosting lol
The other issue is phones would not typically have a public IP without ipv6. You are also unlikely to have a static (consistent) IP address.
I don’t think it’s a great idea to host a website on cellular data. If I had to serve something with a mobile device, I’d use USB networking, or a USB to Ethernet adapter.
You don’t need root to run on port 80, though. And on Ubuntu you can run a server on port 80 as well as long as the software is set up right. It’s the easiest way (and the way the “just disable SELinux” guides often recommend) but there are much better mechanisms for that.
Even if you start nginx as root under normal circumstances, nginx will drop privileges and switch to another user ID exactly because of the root user risks. Nobody wants to run web servers as root, and nobody wants Android to just add root capabilities to the standard config.
All you need is to either
CAP_NET_BIND_SERVICE=+epon the web server or to alternet.ipv4.ip_unprivileged_port_start(just set it to 0 in your system image and ports will just work). The kernel can do this dynamically, like it handles most sandboxing and permissions. The sysctl config is a setting you can just change and one Google could fix with just a single line of code.Most dynamic web stacks won’t host on port 80 directly. Most will serve either a socket connection or host multiple ports on threads, i.e. ports 3000 to 3007. These connections would then be proxied via something like Nginx to serve as a load balancer, and Nginx can also manage SSL for you, too.
Well, yeah, but Nginx will still need to run on some kind of port. 80 and 443 for standard web browsers. http/3 can work on any port, but support is still in beta for most web servers and leaves out a ton of clients.
If Nginx is started as root, it can host on port 80. If not, serve on port 8080 and use NAT to redirect it to port 80 with your firewall. You are using a firewall for publicly-hosted content, right?
I don’t use NAT for most of my services to be honest. I have about four billion IPv6 addresses available, and nginx reverse proxies work just fine for legacy IPv4 stuff.
“Just compile your own Android” isn’t the solution you may think it is. Custom ROMs are a massive pain. Unlocking the bootloader to install it will do all kinds of weird things. Things like “wiping all data” for one, and sometimes also clearing the DRM keys, breaking streaming apps on the device forever. On some Samsung phone unlocking the bootloader will disable the camera firmware, breaking most camera features until the bootloader is locked again.
I wouldn’t want to reduce security by allowing privileged ports as any user, or running modified operating systems that have lessened security baked-in. This security principle is in place for good reasons, and they should remain in place.
If you are exposing your LAN to your Internet connection, you’re doing something wrong. If you are not, but are using a firewall that doesn’t support NAT, then I don’t trust your firewall. If your firewall supports NAT, and you’re attempting to subvert Linux security measures instead of using it, then you’re doing something wrong.
I’m not sure what the security benefits of privileged ports is. Any user can run RDP, OpenVPN/Wireguard, LDAP, and a bunch of other protocols on their standard ports, but thank god they can’t run FTP or HTTP servers! IMAP servers sure are dangerous, but SIP servers should be available to any user for security purposes of course. KDE Connect will open fifty ports for SSH servers, but the important thing is that none of those ports is 22 so all is well.
macOS abolished them a while ago and I don’t believe macs and iPhones are getting hacked left, right, and center. The security benefit is there for systems shared by many users, preventing a standard user from impersonating operating system services. There are a few shared hosts with terminal access that still need these protections, but my phone doesn’t.
As for the firewall: if you have NAT enabled on a consumer router, your firewall is essentially open the moment any device on your network runs external code, i.e. any app. Some consumer hardware can even be tricked by regular WebRTC/HTTP traffic, though that’s harder to pull off; those mechanisms only allow incoming traffic to any local port of an attacker’s choosing, not to any port on any device in your network. Thank NAT ALGs and NAT slipstreaming for that; it’s as if UPnP never went away!
I suppose you could run your own NAT without any ALGs and just not use protocols like passive FTP or SIP, but that would require a custom setup like an OpenWRT router or something of that nature.
Why would anyone want this
A cheap pi can host a website. And your phone can too. The reason not to do so is impracticality.
This might be possible using cloudflared: https://news.ycombinator.com/item?id=37086455#37101789
This is like Apple not allowing you to have root access to your device. Today we’ve computers in our pockets that are more powerful than laptops from 10 years ago yet we can’t use them because they’re locked down. :(
from the linked article:
The reason I think this is needed is because a large percent of Internet users cannot afford hosting personal websites.
that isn’t really the case these days. there are a bunch of free options available–from companies large and small, non-profits and user groups, shared public servers, etc. you can’t run a large download server or a resource-hogging scripted application off something like that, but you won’t be doing those things off your phone and mobile data, either.
I’m not so sure. India isn’t known for its high spend on Amazon cloud fees. Billions of people are stuck behind mobile 4G with little spending money to actually host anything.
Free services exist, but they’re far less capable than just hosting a simple server on an old phone stuck to a charger in a cupboard somewhere. I’ve used shared hosting for ages and it’s just not great.
Data costs are a thing, but there are a lot of “unlimited 2G speed” subscriptions that provide opportunities for personal projects and services.
There are options, of course. Tor works well for hosting a service and it’s pretty secure too. Remembering the hostname and linking others is just a huge pain.
If you’re sticking an old device into a closet stuck to a charger, a phone is like the worst thing for that. Heck, even an old laptop running Linux would probably allow you to charge it, have an external HDD, and Ethernet at the same time, which already puts it miles ahead of a phone.
Android is open source, so if you really want to do this with an old device, you can build yourself a custom rom and do so. But there is no way that it’s a good play for Google to spend engineering time and resources to build something that is at best a poor replacement for countless existing solutions.
I think a root app that runs on Android 4 would work but the devs would have to implement modern standards (TLS 1.2) themselves, the performance would be bad and the phone will probably have known security vulnerabilities.
There’s not really anything stopping someone from writing the necessary code to make this work, but why do that when you can use an always-online, non-battery-powered computer as your web server?
Phones are more powerful than a Raspberry Pi, even has more RAM these days, come with a built in UPS, and have tons of hardware to access nearby devices. That’s pretty useful in tons of situations, like monitoring services, IoT servers, whatever you want.
The battery in a phone only functions as a UPS if it’s plugged in 24/7, in which case it isn’t usable as a phone.
An old phone plugged into a car or left on top of a cupboard is still a phone. It has Bluetooth capabilities, Google Assistant, GPS for use in cars, the list goes on. People use them as wall interfaces for IoT interfaces, so why can’t you just run Home Assistant on them directly?
Plus, phones provide cellular data and actual phone calls, something that’s very expensive to plug into a raspberry pi or comparable micro server.
I have a couple rooted Android 4 phones that I could use but they would be rather slow and have security vulnerabilities. Unless someone makes a custom ROM for the obscure models I have, these problems won’t go away.
I don’t think it’s a good idea. Most people are not tech-oriented, which means it will be a huge security risk. And I want my smartphone to be a phone first and foremost. I want it to have a good battery life so that if I need to make an emergency call, I can rely on it.
I hope you do realise that this is already possible on mobile devices, it’s just not possible to use a few specific restricted ports.
I just found ServeIt on fdroid. I tried it with a simple html website and it works on my phone. It does exactly what you ask.
Does it run on port 80?
On my non-jailbroken phone it doesn’t. The default port is 8888 and you can change it, but it doesn’t start if you specify 80. I don’t know if jailbreaking allows that.
I have to add that it shouldn’t matter much though. If anyone is around you, which would be the main use case, it provides you with a QR code that they can scan and view your website.
Yeah and if you really want it to be accessible from WAN, just forward port 80 on your router to the phone.
The reason I think this is needed is because a large percent of Internet users cannot afford hosting personal websites.
A number of cloud providers offer an always-free tier.
https://github.com/cloudcommunity/Cloud-Free-Tier-Comparison
True, but those are either available in limited supply in any nearby location, only free for a short while or provide servers that are slower than a smartphone.
You can set up a VPN with port forwards to get around this problem, but that’s a waste of a server in some kind of data center when the phone itself would be perfectly capable anyway.
Things intended for local use, like Pihole also don’t work on cloud servers without getting banned for DNS abuse.
Things intended for local use, like Pihole also don’t work on cloud servers without getting banned for DNS abuse.
Are you talking about running a public DNS resolver?
That’s a very different topic that wasn’t part of the original post as far as I can tell.
There have always been (and there always will be) countless solutions for hosting a website for free. Even ignoring the security implications, mobile networks are not designed to do what you want to do. Full stop. If you can’t find a cloud provider in 2023 that will host a free website that will meet your needs, you aren’t looking hard enough.
Mobile providers spend billions in CAPEX every single year to keep up with ever-increasing demand (spectrum, base stations, radios, antennas, etc.) and even then they can barely keep up in some areas.
Every device attached to a given cell shares the resources of that cell. And uplink bandwidth is specifically scarce. Don’t be a bad neighbor.
What are you talking about? GitHub pages is just one example of a web page host that’s free for everyone, super fast and reliable.
Even if you need to host something that has a backend, there are free options with significantly fewer downsides than hosting on your phone.
Cloud servers may be a bad solution for things like pinhole, but your phone would be dead in four hours if you were forcing it to stay awake to respond to every DNS request on your network.
If you’re talking about using your phone as a stationary server that you leave plugged in, isn’t that just an extremely overpriced raspberry pi with no free IO ports?
It’s an interesting idea, but it’s just so much worse than any other option that I can’t imagine anyone seriously wanting to do it.
No thanks. Linode let’s you setup a cheap server for $5 a month, my cellphone is 30$ a month with limited data, and my house is basically a faraday cage.
So just because it doesn’t make sense for you… it shouldn’t be allowed at all?
The end user experience for your website would be terrible and inconsistent, phones don’t have the kind of uptime and availability that you would need, and keeping them plugged in 24/7 in a closet doing computational tasks is a good way to end up with battery bulge and one spicy mini pillow.
There are too many nefarious purposes that could benefit from being able to serve public web services from your smartphone and no consumer benefits that average people would care about.
Fortunately it doesn’t matter what I want to allow and is up to the cellular service providers which have all kinds of stipulations about what constitutes as service abuse and using an inordinate amount of bandwidth is usually one of them.
So for security safety and service stability reasons, yeah, there is no legitimate reason why it SHOULD be allowed. Just spend the $5 monthly on the hardware and bandwidth instead of potentially making your neighbors cell data worse or setting your house on fire/ blowing up your closet just so you can have an unconventional web server.
The end user experience for your website would be terrible and inconsistent
The internet is a massive hodge-podge of different devices. There’s literally no difference in how it’s done now already. Walking through my datacenter I see 10th gen dells still in service.
phones don’t have the kind of uptime and availability that you would need
For homelab? or setting up a personal lemmy instance? It really depends on the purpose. And the premise from the OP has been “personal”.
keeping them plugged in 24/7 in a closet doing computational tasks is a good way to end up with battery bulge and one spicy mini pillow.
Many phones do “only charge to 80%” sort of setting. Negates this nearly completely.
Fortunately it doesn’t matter what I want to allow and is up to the cellular service providers which have all kinds of stipulations about what constitutes as service abuse and using an inordinate amount of bandwidth is usually one of them.
Phones can connect to other services you know… It’s not all about cellular. And many phone companies suppose home/business connections over their network.
So for security safety and service stability reasons, yeah, there is no legitimate reason why it SHOULD be allowed.
There’s tons of legitimate reasons… Such as I want to do what I want with my device.
It would be pretty trivial to do a webv3 IPNS:// website on a phone.
It would be slow, It would consume extra battery, The IPFS network could cache it, if it were under a certain size, You could always pay to pin it but then it doesn’t matter if it’s being hosted from your cell phone anymore.
I stopped reading at webv3.
Yeah I could see that some people don’t have any interest.
To me the true interesting part about it is that there’s no port forwarding, no firewall, The site (under a certain size) automatically gets cached in the network for free. It’s kind of like putting something out in an organized torrent. You don’t have to host it for any one particular IP or place, It solves just about every complaint that everyone was listing in this post for why it’s not reasonable. You simply sign it with your key and the name service keeps the latest version of to date for you, If you bought a new phone or wanted to use a desktop or wherever in the hell you want, your signed content just has to be available once a day to freshen the IPNS record.
IOW you’ve turned it into a thought-terminating cliche.
