Ahhh the joy of *nix operating systems. Way back in the distant past of
unix systems, someone decided it was a bad idea to allow any user on the
system to bind to the well known low ports (1 - 1024) where officially
sanctioned services (POP, SMTP, FTP, etc., ...) should be. A great idea
except it also required the services to be running as a privileged user
to gain access. For a lot of reasons, services should run with the
least privilege.
A couple of the most common solutions to this problem are:
1. Start tomcat using jsvc. You can get it from the commons-daemon
project at http://jakarta.apache.org/commons/daemon
2. Run tomcat on a higher port like 8443 and attempt to use iptables to
divert the traffic intended for 443 to tomcat. I'm a bit dubious on if
this will work with an SSL connection. You can try it if you like.
My vote is for 1. It's easy and tomcat can act as a well behaved,
respectable service running with minimum privilege while still capturing
a "privileged" port.
--David
Faheem Mitha wrote:
Hi,
I can now get tomcat to run an ssl connector at port 8443 (Debian
default), but doesn't work if I try to run it at 443.
The log says:
Apr 17, 2007 12:31:19 AM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler
start failed: java.net.BindExc
eption: Permission denied:443
at
org.apache.catalina.connector.Connector.start(Connector.java:1096)
at
org.apache.catalina.core.StandardService.start(StandardService.java:459)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
My server.xml config now says
<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<Connector address="core.dulci.org" port="443"
maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Any idea what I am missing? I don't think the problem is that apache
is blocking 443, because when I turn off apache, I get the same error.
In any case, I have configured apache to listen only at the
florence.dulci.org:443 interface.
Is there an easy way to discover what is listening on a particular
port on a particular IP address?
Thanks.
Faheem.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]