Re: running tomcat on a particular network interface and a particular port

Tue, 17 Apr 2007 09:12:45 -0700 

David Smith wrote:
Ahhh the joy of *nix operating systems. Way back in the distant past of unix systems, someone decided it was a bad idea to allow any user on the system to bind to the well known low ports (1 - 1024) where officially sanctioned services (POP, SMTP, FTP, etc., ...) should be. A great idea except it also required the services to be running as a privileged user to gain access. For a lot of reasons, services should run with the least privilege. 

This kludge was forgiveable on "multi-user" systems (anyone remember
them?) but makes things worse on secure servers; unfortunately you
seem to have to recompile the kernel to switch it off...


A couple of the most common solutions to this problem are:


1. Start tomcat using jsvc.  You can get it from the commons-daemon 
project at http://jakarta.apache.org/commons/daemon



2. Run tomcat on a higher port like 8443 and attempt to use iptables to 
divert the traffic intended for 443 to tomcat.  I'm a bit dubious on if 
this will work with an SSL connection.  You can try it if you like.


It works as well for HTTPS as it does for HTTP (i.e. fine) but you may
nevertheless prefer to avoid configuring port redirection into iptables.


My vote is for 1.  It's easy and tomcat can act as a well behaved, 
respectable service running with minimum privilege while still capturing 
a "privileged" port.


I opted for 2 (have used this in production a coupla years now) as
it doesn't involve any software you wouldn't have to use anyway (if
someone discovers a security vulnerability in jsvc tomorrow I shall
be smugly smiling) but realistically there's nothing in it and the
choice is yours...

Paul Singleton


--David

Faheem Mitha wrote:



Hi,


I can now get tomcat to run an ssl connector at port 8443 (Debian 
default), but doesn't work if I try to run it at 443.


The log says:

Apr 17, 2007 12:31:19 AM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:

LifecycleException:  service.getName(): "Catalina";  Protocol handler 
start failed: java.net.BindExc

eption: Permission denied:443

        at 
org.apache.catalina.connector.Connector.start(Connector.java:1096)
        at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
        at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

        at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 


        at java.lang.reflect.Method.invoke(Method.java:585)

        at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)

        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

My server.xml config now says

    <!-- Define a SSL HTTP/1.1 Connector on port 443 -->

    <Connector address="core.dulci.org" port="443" 
maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />


Any idea what I am missing? I don't think the problem is that apache 
is blocking 443, because when I turn off apache, I get the same error. 
In any case, I have configured apache to listen only at the 
florence.dulci.org:443 interface.



Is there an easy way to discover what is listening on a particular 
port on a particular IP address?



Thanks.                                                            
Faheem.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
Paul Singleton
Jambusters Ltd

tel: 01782 750821
fax: 08707 628609
VAT: 777 3904 85
Company no. 04150146


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to