Chris,
On 8/2/2017 3:10 PM, Christopher Schultz wrote:
On 8/2/17 3:13 PM, Igal @ Lucee.org wrote:
On 8/2/2017 11:48 AM, Caldarale, Charles R wrote:
I recommend fronting Tomcat with a web server like nginx or httpd,
This is an okay solution but it requires another component to be
installed/configured. Looks like James already has httpd installed, so
it's just a bit more configuration. It's one more thing to get wrong,
though, and it gives you a small performance hit.
I missed the part about having httpd already installed, you're right,
but that whould only make it easier to set it up as a reverse proxy.
I agree about the "one more thing to go wrong", but fronting Tomcat with
a Web Server gives a performance hit? I mean, sure, now requests for
Tomcat have another step to go through, but all of the static resources
(assuming there are static resources) will supposedly be handled more
efficiently by a web server, no? The added layer usually provides more
security as well, provided that the web server doesn't add new
vulnerabilities, of course.
I personally use nginx for SSL termination, which I find easier than
Tomcat, though it's been many years since I last tried to setup Tomcat
with https.
but see also two solutions from
http://georgik.rocks/tomcat-7-listen-on-port-80-linux-debian/
1) have Tomcat listen on a higher port and redirect traffic from
port 80 to the higher port in iptables
This is an okay solution but it's ugly(ish) and highly undiscoverable.
I can't remember the last time I did a netstat and immediately thought
"hey, I wonder if any of those bound ports are being redirected by
iptables?"
Agreed, but I saw it in a couple of places when I googled "linux run
tomcat on port 80" after James asked for elaboration. I'm much more
familiar with Windows than Linux (though am making the migration and
actually setting up my first CentOS production server), hence my
original reply on this thread was short and with no details.
2) set `AUTHBIND=yes` om /etc/defaults/tomcat7
That needs to be /etc/default/tomcat[version]
I actually thought of editing that before posting, but since the OP
mentioned tomcat 7 I decided not to do so.
I did a little digging into how this works because I was curious.
Obviously, it uses authbind. But that script automatically adds the
following file to /etc/authbind/byuid/[tomcat-uid]:
0.0.0.0/0:1,1023
::/0,1-1023
This allows the tomcat user to bind to ports between 1 and 1023 on
IPv4 and IPv6 addresses.
I would personally lock this down even further and enumerate the ports
you expect to use, but it's possible that the service runner (systemd
in this case) may clobber the permissions at some future point.
I was also wondering how it works, but was too busy to look it up.
Thanks for sharing your findings.
Igal
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
