Is there a standard way to run tomcat on port 80 in Redhat Enterpise Linux? We currently have a iptables rule that redirects 80 to port 8080. The service can be opened from port 80 and 8080. Somehow this is more secure... Is this common? Is there a better way? Could the tomcat user be given permission to open port 80 instead?
I searched for it and found several hits. Here are two: 12. I shall leave it to you to work out whether the two links have identical contents ; they looked the same in the preview text. A couple more hits: 34. I hope they are of some help.
I clicked on the links and it took me to DuckDuckGo pages. Which tells me that Campbell is paranoid in these NSA-infested times. Unfortunately, DDG didn't forward to the actual articles.
You CAN run Tomcat natively on Port 80. However, since any port below 4096 requires that the app listening on it be running privileged (root), that means that the entire Tomcat server and all its apps are a potential security risk.
There's also a wrapper program that's designed to do for Tomcat what Apache does for itself - start as root, open port 80, then run Tomcat under normal user context. It's available from the Tomcat download site.
Normally, I don't have Tomcat wired directly to port 80, since my services are more complex than just J2EE. So instead I have a reverse proxy fronting it. I had been using Apache for that, but recently moved to Nginx, which is easier to set up for such things. My front-line servers are now nginx and they bounce stuff to Apache, Tomcat and whatever other web servers I want to employ on the backend, doing any port and/or URL translations I need.
There's nothing wrong with using iptables as a minimal-overhead reverse proxy. I was doing that as well until I needed URL-sensitive routing of requests. The real security risk would be in running as root. The only difference that port translation makes is that attackers tend to home in on well-known service ports, but that's true for everything you expose on the Internet.
"privilege" comes from the Latin words for "private" and "law" (legal) and dates to feudal times. To "claim privilege" meant that you were above the laws that applied to the common people.
John Mercier wrote: Could the tomcat user be given permission to open port 80 instead?
You can use authbind to allow Tomcat user to bind to port 80.
1. Install authbind
2. # touch /etc/authbind/byport/80
3. # chown tomcat_user:tomcat_group /etc/authbind/byport/80
4. # chmod 755 /etc/authbind/byport/80
5. Modify the startup script to use authbind.
For point 5, here is an example. However, from distro to distro, the startup script may look differently, but you should get an idea how to do this:
ORIGINAL CODE: exec "$PRGDIR"/"$EXECUTABLE" start "$@"
AUTHBIND CODE: exec authbind --deep "$PRGDIR"/"$EXECUTABLE" start "$@"
You would be much easier to understand if you took that bucket off of your head. And that goes for the tiny ad too!