-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Igal,
On 8/2/17 3:13 PM, Igal @ Lucee.org wrote: > On 8/2/2017 11:48 AM, Caldarale, Charles R wrote: >>> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] >>> Subject: Re: This is weird: can't bind to 443 >>>> Binding on ports < 1024 on Linux require elevated >>>> permissions, no? >>> If so, somebody please elaborate. >> That's a Linux restriction/feature - must be superuser to use the >> low port numbers. > > I recommend fronting Tomcat with a web server like nginx or httpd, This is an okay solution but it requires another component to be installed/configured. Looks like James already has httpd installed, so it's just a bit more configuration. It's one more thing to get wrong, though, and it gives you a small performance hit. > but see also two solutions from > http://georgik.rocks/tomcat-7-listen-on-port-80-linux-debian/ > > 1) have Tomcat listen on a higher port and redirect traffic from > port 80 to the higher port in iptables This is an okay solution but it's ugly(ish) and highly undiscoverable. I can't remember the last time I did a netstat and immediately thought "hey, I wonder if any of those bound ports are being redirected by iptables?" > 2) set `AUTHBIND=yes` om /etc/defaults/tomcat7 That needs to be /etc/default/tomcat[version] I did a little digging into how this works because I was curious. Obviously, it uses authbind. But that script automatically adds the following file to /etc/authbind/byuid/[tomcat-uid]: 0.0.0.0/0:1,1023 ::/0,1-1023 This allows the tomcat user to bind to ports between 1 and 1023 on IPv4 and IPv6 addresses. I would personally lock this down even further and enumerate the ports you expect to use, but it's possible that the service runner (systemd in this case) may clobber the permissions at some future point. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZgk3JAAoJEBzwKT+lPKRYCAkQALfann5v+fOaXbHq6qCb2PXK nXvvN8hte8f95Yd10G8J839VaI/3qoOH+vA3Y9aYUQJN8K4S0LNMwGove3zhnEvC PAhEma+NB+Amh+MoWpzWrQ8DfdzGyiWa4HbV5PH+EkCp/GBXLjkP3eFYuw3KaSW8 BNG5ZjcoWmLZ2GbF/DtpzsZ+Lkw8cC1gj3t8cYIhCh3aMI7Tlz83MGiTt+7us2Wk qttomqmfNloD5oMIBGu0ibNVYIbNArYW0NWxT1ro7lZqKcsLpC8Vk3iw31tvKwMw idcJS5b1FGkR2uXwVBAQMJcpiko7YOIclL6gfv8mdHaZeP5iQwmf+mGveeDnhwu4 beUz/MGEUV/+A72wO3PTz98E53lzUskYCH10qUpUIjgEDTOI16njRQYdpx5tYT62 3igYDRMDO3djZGT9+NFthuD/9VbEVSjRMBLXnCpeRbtH/iKOaFP9gpgJYzuvw+dp te/RJe1istOrz+vxRb5HTNCjTT2qzDd4QL3Wi/zaG/Jpqx+OCOvLH1AsXG8t9ulx S02HXT/b13ltMbTbv3yDCVGgsOuPMonj5ViEx3fBei1idTscZcgZopEPibdM7is1 M/lHw395xfzkRfuA6nL54wPI5SFT/xlPLjmFmgoL6++jG7KetxlHrKIlBH3pmKwz nUJv8g5LlqQjzzDdEiKO =lU+b -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
