This week's book giveaway is in the OO, Patterns, UML and Refactoring forum.
We're giving away four copies of Five Lines of Code and have Christian Clausen on-line!
See this thread for details.
Win a copy of Five Lines of Code this week in the OO, Patterns, UML and Refactoring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

tomcat on port 80?

 
Ranch Hand
Posts: 49
1
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there a standard way to run tomcat on port 80 in Redhat Enterpise Linux? We currently have a iptables rule that redirects 80 to port 8080. The service can be opened from port 80 and 8080. Somehow this is more secure... Is this common? Is there a better way? Could the tomcat user be given permission to open port 80 instead?
 
Marshal
Posts: 69753
277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I searched for it and found several hits. Here are two: 1 2. I shall leave it to you to work out whether the two links have identical contents ; they looked the same in the preview text. A couple more hits: 3 4. I hope they are of some help.
 
Saloon Keeper
Posts: 22248
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I clicked on the links and it took me to DuckDuckGo pages. Which tells me that Campbell is paranoid in these NSA-infested times. Unfortunately, DDG didn't forward to the actual articles.

However.

You CAN run Tomcat natively on Port 80. However, since any port below 4096 requires that the app listening on it be running privileged (root), that means that the entire Tomcat server and all its apps are a potential security risk.

There's also a wrapper program that's designed to do for Tomcat what Apache does for itself - start as root, open port 80, then run Tomcat under normal user context. It's available from the Tomcat download site.

Normally, I don't have Tomcat wired directly to port 80, since my services are more complex than just J2EE. So instead I have a reverse proxy fronting it. I had been using Apache for that, but recently moved to Nginx, which is easier to set up for such things. My front-line servers are now nginx and they bounce stuff to Apache, Tomcat and whatever other web servers I want to employ on the backend, doing any port and/or URL translations I need.

There's nothing wrong with using iptables as a minimal-overhead reverse proxy. I was doing that as well until I needed URL-sensitive routing of requests. The real security risk would be in running as root. The only difference that port translation makes is that attackers tend to home in on well-known service ports, but that's true for everything you expose on the Internet.
 
Ranch Hand
Posts: 310
18
MS IE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

John Mercier wrote: Could the tomcat user be given permission to open port 80 instead?



You can use authbind to allow Tomcat user to bind to port 80.

1. Install authbind
2. # touch /etc/authbind/byport/80
3. # chown tomcat_user:tomcat_group /etc/authbind/byport/80
4. # chmod 755 /etc/authbind/byport/80
5. Modify the startup script to use authbind.

For point 5, here is an example. However, from distro to distro, the startup script may look differently, but you should get an idea how to do this:
ORIGINAL CODE: exec "$PRGDIR"/"$EXECUTABLE" start "$@"
AUTHBIND CODE: exec authbind --deep "$PRGDIR"/"$EXECUTABLE" start "$@"
 
You would be much easier to understand if you took that bucket off of your head. And that goes for the tiny ad too!
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic