Thank You Olaf ===========================
Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 ----- Original Message ----- From: "Olaf Kock" <tom...@olafkock.de> To: "users" <users@tomcat.apache.org> Sent: Friday, March 16, 2018 7:21:26 AM Subject: Re: Binding a non root user to port 443 Chris, On 15.03.2018 13:34, Cheltenham, Chris wrote: > Andre, > > You probably missed where I had mentioned the infrastructure group poo poo'd > altering iptables for whatever reason. > > Here is what I think are my 5 best choices for running tomcat as a non root > user on a privileged port. > > 1) redirect 443 to 8443 on the load balancer. VIP side. > > 2) iptables > > 3) jsvc > > 4) authbind > > 5) set cap > > I do NOT have control of the VIP so I can only make suggestions based on > what I have control of. I don't understand. I always make suggestions for areas that I don't have control of. It'd be frightening if I didn't, because that would mean that I'd control too much. IMHO 1 is the best point: The loadbalancer balances something anyway - you'd just document the application it should balance and the ports it should be available under. You probably can't tell them they need to bind another port than 443 /on their frontend/, but you should certainly be able to tell them where your application lives that they should connect to in the backend. That's a configuration they'd have to make anyway and I hope they'd not be opposed to entering a port number. > Therefore, the latter three are what I am looking into. > > I do not like set cap because it opens up ALL the privileged ports to a > binary , such as java or http. > Authbind is an install of a potentially buggy or unsecure software. another reason for 1... > I am not really sure how my post warranted so much attention but I > appreciate it. well, you posted a question, gave the background - that's what this list is for. Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
