Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Jetty/Howto/Port80"
m (set umask to 002 in most cases) |
m |
||
| Line 1: | Line 1: | ||
{{Jetty Howto | {{Jetty Howto | ||
| − | | introduction = | + | | introduction = |
| − | + | On Unix based systems, port 80 is protected; typically only the superuser root can open it. For security reasons, it is not desirable to run the server as root. This page presents several options to access port 80 as a non root user. | |
| − | |||
| − | |||
| + | == Using Jetty's setuid feature == | ||
| − | + | Create a Jetty config file as follows: | |
| − | + | ||
| − | + | ||
| − | Create a | + | |
<source lang="xml"> | <source lang="xml"> | ||
| Line 22: | Line 18: | ||
Where you replace: | Where you replace: | ||
| − | * *UMASK* with the umask setting you want the process to have | + | * *UMASK* with the umask setting you want the process to have. |
| + | ** You can remove this line if you don't want to change this at runtime. | ||
| + | ** Set it to 002 if you get an error to the effect that root does not have permission to write to the log file. | ||
* *USERID* with the id of the user you want the process to execute as once the ports have been opened. | * *USERID* with the id of the user you want the process to execute as once the ports have been opened. | ||
{tip:title=Hint} | {tip:title=Hint} | ||
| Line 45: | Line 43: | ||
Leave out the \-shared argument. | Leave out the \-shared argument. | ||
{warning} | {warning} | ||
| − | Then to run jetty as the root user | + | Then to run jetty as the root user: |
| + | |||
| + | # Switch to the userid of your choice. | ||
| + | # Optionally set the umask of your choice). | ||
| + | # Enter the following command: | ||
<source lang="bash"> | <source lang="bash"> | ||
| Line 57: | Line 59: | ||
=== Using ipchains === | === Using ipchains === | ||
| − | On some Linux systems the ipchains REDIRECT mechanism | + | On some Linux systems you can use the ipchains REDIRECT mechanism to redirect from one port to another inside the kernel: |
<source lang="bash"> | <source lang="bash"> | ||
| Line 63: | Line 65: | ||
</source> | </source> | ||
| − | This | + | This command instructs the system as follows: "Insert into the kernel's packet filtering the following as the first rule to check on incoming packets: If the protocol is TCP and the destination port is 80, redirect the packet to port 8080." Be aware that your kernel must be compiled with support for ipchains (virtually all stock kernels are). You must have the "ipchains" command-line utility installed (on RedHat the package is aptly named "ipchains"). You can run this command at any time, preferably just once since it inserts another copy of the rule every time you run it. |
| − | Once | + | Once you set up this rule , a Linux 2.2 kernel redirects all data addressed to port 80 to a server such as Jetty running on port 8080.This includes all RedHat 6.x distros. Linux 2.4 kernels, for example, RedHat 7.1+, have a similar "iptables" facility. |
=== Using iptables === | === Using iptables === | ||
| Line 75: | Line 77: | ||
</source> | </source> | ||
| − | The underlying model of iptables is different | + | The underlying model of iptables is different from ipchains, so the forwarding normally happens only to packets originating off-box. You also need to allow incoming packets to port 8080 if you use iptables as a local firewall. |
| − | Be careful to place rules like this one early in your "input" chain. Such rules must precede any rule that | + | Be careful to place rules like this one early in your "input" chain. Such rules must precede any rule that accepts the packet, otherwise the redirection won't occur. You can insert as many rules as needed if your server needs to listen on multiple ports, as for HTTPS. |
=== Using xinetd === | === Using xinetd === | ||
| − | With modern Linux flavours, inetd has a newer, better big brother xinetd | + | With modern Linux flavours, inetd has a newer, better big brother ''xinetd'', that you can use to redirect network traffic. Since xinetd is driven by text files, all you need is a text editor. For detailed information, see [http://www.xinetd.org/ xinetd]. |
| − | + | ||
| − | + | ||
| − | + | There are two ways to give xinetd instructions: | |
# Add a new service to etc/xinetd.conf | # Add a new service to etc/xinetd.conf | ||
# Add a new file to the directory etc/xinetd.d | # Add a new file to the directory etc/xinetd.d | ||
| − | + | The format is the same, if you have a look at the file/directory, you will get the picture. | |
| − | The following entry | + | The following entry redirects all inward TCP traffic on port 80 to port 8888 on the local machine. You can also redirect to other machines for gimp proxying: |
| − | redirect to other machines for gimp proxying: | + | |
<source lang="text"> | <source lang="text"> | ||
| Line 112: | Line 111: | ||
* Space on either side of the '=' or it is ignored. | * Space on either side of the '=' or it is ignored. | ||
| − | * <tt>type = UNLISTED</tt> means that the name of the service does not have to be in <tt>/etc/services</tt>, but you have to specify port and protocol. If you want to do use an existing service name, | + | * <tt>type = UNLISTED</tt> means that the name of the service does not have to be in <tt>/etc/services</tt>, but you have to specify port and protocol. If you want to do use an existing service name, for example, http: |
<source lang="text"> | <source lang="text"> | ||
service http | service http | ||
| Line 127: | Line 126: | ||
Have a browse in /etc/services and it will all become clear. | Have a browse in /etc/services and it will all become clear. | ||
* Logging may present certain security problems, you might want to leave that out. | * Logging may present certain security problems, you might want to leave that out. | ||
| − | * RHEL5 | + | * RHEL5 doesn't contain xinetd by default for reasons best known to themselves. yum install xinetd fixes that. |
Xinetd is a hugely powerful and configurable system so expect to do some reading. | Xinetd is a hugely powerful and configurable system so expect to do some reading. | ||
| Line 138: | Line 137: | ||
usermod -K defaultpriv=basic,net_privaddr myself | usermod -K defaultpriv=basic,net_privaddr myself | ||
</source> | </source> | ||
| − | Now the <tt>myself</tt> user | + | Now the <tt>myself</tt> user can bind to port 80. |
| − | + | Refer to the [http://docs.sun.com/app/docs/doc/816-4557/prbactm-1?a=view Solaris documentation] for more information. | |
}} | }} | ||
Revision as of 17:55, 25 February 2011
Contents
Introduction
On Unix based systems, port 80 is protected; typically only the superuser root can open it. For security reasons, it is not desirable to run the server as root. This page presents several options to access port 80 as a non root user.
Using Jetty's setuid feature
Create a Jetty config file as follows:
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"> <Configure id="Server" class="org.mortbay.setuid.SetUIDServer"> <Set name="umask">UMASK</Set> <Set name="uid">USERID</Set> </Configure>
Where you replace:
- *UMASK* with the umask setting you want the process to have.
- You can remove this line if you don't want to change this at runtime.
- Set it to 002 if you get an error to the effect that root does not have permission to write to the log file.
- *USERID* with the id of the user you want the process to execute as once the ports have been opened.
{tip:title=Hint} For your convenience, you'll find one of these ready made in the $jetty.home/extras/setuid/etc/jetty-setuid.xml. {tip} Then, you need to build the setuid feature for your operating system, as it requires native libraries. Go to the $jetty.home/extras/setuid directory and follow the instructions in the README.txt file, summarized here as:
> mvn install > gcc -I$JDK_HOME/include/ -I$JDK_HOME/include/linux/ \ -shared src/main/native/org_mortbay_setuid_SetUID.c \ -o ../../lib/ext/libsetuid.so > cp target/jetty-setuid-6.1-SNAPSHOT.jar ../../lib/ext/ > cp etc/jetty-setuid.xml ../../etc
Where:
- *$JDK_HOME* is same as $JAVA_HOME
- *linux* should be replaced by the name of your operating system.
{warning:title=On Solaris} Leave out the \-shared argument. {warning} Then to run jetty as the root user:
- Switch to the userid of your choice.
- Optionally set the umask of your choice).
- Enter the following command:
sudo java -Djava.library.path=lib/ext -jar start.jar etc/jetty-setuid.xml etc/jetty.xml
{warning:title=Note!} You *must* ensure that the etc/jetty-setuid.xml file is first in the list of config files. {warning}
Using ipchains
On some Linux systems you can use the ipchains REDIRECT mechanism to redirect from one port to another inside the kernel:
/sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080
This command instructs the system as follows: "Insert into the kernel's packet filtering the following as the first rule to check on incoming packets: If the protocol is TCP and the destination port is 80, redirect the packet to port 8080." Be aware that your kernel must be compiled with support for ipchains (virtually all stock kernels are). You must have the "ipchains" command-line utility installed (on RedHat the package is aptly named "ipchains"). You can run this command at any time, preferably just once since it inserts another copy of the rule every time you run it.
Once you set up this rule , a Linux 2.2 kernel redirects all data addressed to port 80 to a server such as Jetty running on port 8080.This includes all RedHat 6.x distros. Linux 2.4 kernels, for example, RedHat 7.1+, have a similar "iptables" facility.
Using iptables
You need to add something like the following to the startup scripts or your firewall rules:
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
The underlying model of iptables is different from ipchains, so the forwarding normally happens only to packets originating off-box. You also need to allow incoming packets to port 8080 if you use iptables as a local firewall.
Be careful to place rules like this one early in your "input" chain. Such rules must precede any rule that accepts the packet, otherwise the redirection won't occur. You can insert as many rules as needed if your server needs to listen on multiple ports, as for HTTPS.
Using xinetd
With modern Linux flavours, inetd has a newer, better big brother xinetd, that you can use to redirect network traffic. Since xinetd is driven by text files, all you need is a text editor. For detailed information, see xinetd.
There are two ways to give xinetd instructions:
- Add a new service to etc/xinetd.conf
- Add a new file to the directory etc/xinetd.d
The format is the same, if you have a look at the file/directory, you will get the picture.
The following entry redirects all inward TCP traffic on port 80 to port 8888 on the local machine. You can also redirect to other machines for gimp proxying:
service my_redirector
{
type = UNLISTED
disable = no
socket_type = stream
protocol = tcp
user = root
wait = no
port = 80
redirect = 127.0.0.1 8888
log_type = FILE /tmp/somefile.log
}Points to Note
- Space on either side of the '=' or it is ignored.
- type = UNLISTED means that the name of the service does not have to be in /etc/services, but you have to specify port and protocol. If you want to do use an existing service name, for example, http:
service http
{
disable = no
socket_type = stream
user = root
wait = no
redirect = 127.0.0.1 8888
log_type = FILE /tmp/somefile.log
}Have a browse in /etc/services and it will all become clear.
- Logging may present certain security problems, you might want to leave that out.
- RHEL5 doesn't contain xinetd by default for reasons best known to themselves. yum install xinetd fixes that.
Xinetd is a hugely powerful and configurable system so expect to do some reading.
Solaris 10 user rights
Solaris 10 provides a User Rights Management framework that can permit users and processes superuser-like abilities:
usermod -K defaultpriv=basic,net_privaddr myself
Now the myself user can bind to port 80.
Refer to the Solaris documentation for more information.