Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Jetty/Howto/Port80"
m |
|||
| (23 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
{{Jetty Howto | {{Jetty Howto | ||
| introduction = | | introduction = | ||
| − | |||
| − | + | {{Jetty Redirect|http://www.eclipse.org/jetty/documentation/current/setting-port80-access.html}} | |
| − | + | {{Jetty Redirect|http://www.eclipse.org/jetty/documentation/current/setuid.html#configuring-setuid}} | |
| − | + | On Unix-based systems, port 80 is protected; typically only the superuser root can open it. For security reasons, it is not desirable to run the server as root. This page presents several options to access port 80 as a non-root user. These include; | |
| − | [[#Using | + | [[#Using ipchains|Using ipchains]] |
| − | [[#Using | + | [[#Using iptables|Using iptables]] |
| + | [[#Configuring Jetty's SetUID Feature|Configuring Jetty's SetUID Feature]] | ||
| + | |||
| + | [[#Using xinetd|Using xinetd]] | ||
| + | |||
| + | [[#Using the Solaris 10 User Rights Management Framework|Using the Solaris 10 User Rights Management Framework]] | ||
| + | |||
| + | |||
| + | == Using ipchains == | ||
| + | |||
| + | On some Linux systems you can use the ipchains REDIRECT mechanism to redirect from one port to another inside the kernel (if ipchains is not available, then usually iptables is (see below)): | ||
| + | |||
| + | <source lang="bash"> | ||
| + | /sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080 | ||
| + | </source> | ||
| + | |||
| + | This command instructs the system as follows: "Insert into the kernel's packet filtering the following as the first rule to check on incoming packets: If the protocol is TCP and the destination port is 80, redirect the packet to port 8080." Be aware that your kernel must be compiled with support for ipchains (virtually all stock kernels are). You must have the "ipchains" command-line utility installed (on RedHat the package is aptly named "ipchains"). You can run this command at any time, preferably just once since it inserts another copy of the rule every time you run it. | ||
| + | |||
| + | Once you set up this rule , a Linux 2.2 kernel redirects all data addressed to port 80 to a server such as Jetty running on port 8080.This includes all RedHat 6.x distros. Linux 2.4 kernels, for example, RedHat 7.1+, have a similar "iptables" facility. | ||
| + | |||
| + | == Using iptables == | ||
| + | |||
| + | On many Linux systems you can use the iptables REDIRECT mechanism to redirect from one port to another inside the kernel (if iptables is not available, then usually ipchains is (see above). | ||
| + | |||
| + | You need to add something like the following to the startup scripts or your firewall rules: | ||
| + | |||
| + | <source lang="bash"> | ||
| + | /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 | ||
| + | </source> | ||
| + | |||
| + | The underlying model of iptables is different from ipchains, so the forwarding normally happens only to packets originating off-box. You also need to allow incoming packets to port 8080 if you use iptables as a local firewall. | ||
| + | |||
| + | Be careful to place rules like this one early in your ''input'' chain. Such rules must precede any rule that accepts the packet, otherwise the redirection won't occur. You can insert as many rules as required if your server needs to listen on multiple ports, as for HTTPS. | ||
== Configuring Jetty's SetUID feature == | == Configuring Jetty's SetUID feature == | ||
| − | + | This extension of [http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/Server.html org.eclipse.jetty.server.Server] will make a JNI call to set the unix UID. This can be used to start the server as root so that privileged ports may be accessed and then switch to a non-root user for security. | |
| + | |||
| + | ===Obtaining the code=== | ||
| + | |||
| + | The SetUID feature is among the Jetty 7 modules that remain at Codehaus, and it retains the mortbay.org package naming. It uses the Jetty 7 package modules at [http://download.eclipse.org/jetty/ Eclipse]. Jetty-hightide at [http://dist.codehaus.org/jetty/ Codehaus] comes with jetty-setuid compiled and configured. | ||
| + | |||
| + | Alternatively, you can download the necessary files from the maven central repository: | ||
| + | |||
| + | * the setuid class jar is at [http://repo1.maven.org/maven2/org/mortbay/jetty/jetty-setuid-java/ jetty-setuid-java] | ||
| + | * a jar file containing the jetty-setuid.xml file is at [http://repo1.maven.org/maven2/org/mortbay/jetty/jetty-setuid-java/ jetty-setuid-config] | ||
| + | * the native library is at [http://repo1.maven.org/maven2/org/mortbay/jetty/libsetuid/ jetty-setuid-lib] | ||
| + | * the jna jar is at [http://repo1.maven.org/maven2/net/java/dev/jna/jna/ jna] | ||
| − | + | Copy the jetty-setuid.jar, and the jna jar to $jetty.home/lib/setuid. Also copy the .so file to $jetty.home/lib/setuid, '''but make sure you rename it "libsetuid.so"'''. Unjar the config jar into $jetty.home. | |
===Creating a Jetty Config File=== | ===Creating a Jetty Config File=== | ||
| Line 34: | Line 76: | ||
Where you replace: | Where you replace: | ||
| − | * | + | * '''UMASK''' with the umask setting you want the process to have. The umask will be set before the server is started. |
** You must enter it in decimal. That is, if you want the effect of umask 022, you must use <Set name="umask">18</Set>. | ** You must enter it in decimal. That is, if you want the effect of umask 022, you must use <Set name="umask">18</Set>. | ||
| − | ** If you prefer | + | ** If you prefer hexadecimal, enter <Set name="umaskOctal">022</Set>. |
** You can remove this line if you don't want to change this at runtime. | ** You can remove this line if you don't want to change this at runtime. | ||
** Set it to 002 if you get an error to the effect that root does not have permission to write to the log file. | ** Set it to 002 if you get an error to the effect that root does not have permission to write to the log file. | ||
| − | * | + | * '''USERID''' with the ID of the user you want the process to execute as once the ports have been opened. |
| − | + | ||
| − | + | {{tip|TIP|For your convenience, if you downloaded [http://dist.codehaus.org/jetty/ jetty-hightide], you'll find one of these ready made in the <tt>$jetty.home/etc/jetty-setuid.xml</tt>.}} | |
| − | + | The default behaviour of the SetUIDServer is to ''only open the Connectors as the privileged user'', and then switch down to the non privileged user to do the rest of the startup sequence, including starting up the webapps. If your webapp needs to open privileged ports itself, you can configure the SetUIDServer to do the entire startup sequence as the privileged user. Use the | |
| + | "startServerAsPrivileged" option to accomplish this (of course, this will mean that any files created will be owned by the root user, so be sure this is what you want), eg: | ||
| + | <source lang="xml"> | ||
| + | <?xml version="1.0"?> | ||
| + | <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/jetty/configure.dtd"> | ||
| + | <Configure id="Server" class="org.mortbay.setuid.SetUIDServer"> | ||
| + | <Set name="umask">UMASK</Set> | ||
| + | <Set name="uid">USERID</Set> | ||
| + | <Set name="startServerAsPrivileged">true</Set> | ||
| + | </Configure> | ||
| + | </source> | ||
| − | + | ===Configuring jetty for setuid=== | |
| − | + | ||
| − | + | The easiest way to do this is to edit the $jetty.home/start.ini file: | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | > | + | * uncomment <tt>--exec</tt> |
| − | > | + | * add <tt>-Djava.library.path=lib/setuid</tt> |
| − | </ | + | * add an option for setuid: <tt>OPTIONS=Server,jsp,jmx,resources,websocket,ext,jta,plus,jdbc,annotations,<b>setuid</b></tt> |
| − | + | * add <tt>etc/jetty-setuid.xml</tt> (or <tt>--pre=etc/jetty-setuid.xml</tt> for Jetty Hightide 7.6.5/8.1.5) as the first file in the configuration file section | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | {{warning|NOTE|You *must* ensure that the <tt>etc/jetty-setuid.xml</tt> (or <tt><nowiki>--pre=etc/jetty-setuid.xml</nowiki></tt> for Jetty Hightide 7.6.5/8.1.5) file is first in the list of config files.}} | |
| − | + | ||
| − | + | ||
| − | + | ||
===Running Jetty as Root User=== | ===Running Jetty as Root User=== | ||
| − | + | Having edited start.ini as advised above, to run jetty as the root user: | |
# Switch to the userid of your choice. | # Switch to the userid of your choice. | ||
| Line 76: | Line 117: | ||
<source lang="bash"> | <source lang="bash"> | ||
| − | sudo java | + | sudo java -jar start.jar |
</source> | </source> | ||
| − | {{ | + | {{note|NOTE|As the setuid feature relies on a native library, if the .so file available on the maven central repo at [http://repo1.maven.org/maven2/org/mortbay/jetty/libsetuid/ jetty-setuid-lib] does not work in your environment, you may need to build it from source. Checkout the git://git.codehaus.org/jetty-project.git repository and modify the jetty-setuid/modules/native/pom.xml as necessary.}} |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
== Using xinetd == | == Using xinetd == | ||
| Line 154: | Line 171: | ||
Xinetd is a hugely powerful and configurable system so expect to do some reading. | Xinetd is a hugely powerful and configurable system so expect to do some reading. | ||
| − | |||
== Using the Solaris 10 User Rights Management Framework == | == Using the Solaris 10 User Rights Management Framework == | ||
Latest revision as of 14:50, 23 April 2013
Contents
Introduction
THIS IS NOT THE DOCUMENTATION YOU ARE LOOKING FOR!!!!!
All development and stable releases are being performed with Jetty 9 and Jetty 10.
This wiki is now officially out of date and all content has been moved to the Jetty Documentation Hub
THIS IS NOT THE DOCUMENTATION YOU ARE LOOKING FOR!!!!!
All development and stable releases are being performed with Jetty 9 and Jetty 10.
This wiki is now officially out of date and all content has been moved to the Jetty Documentation Hub
On Unix-based systems, port 80 is protected; typically only the superuser root can open it. For security reasons, it is not desirable to run the server as root. This page presents several options to access port 80 as a non-root user. These include;
Configuring Jetty's SetUID Feature
Using the Solaris 10 User Rights Management Framework
Using ipchains
On some Linux systems you can use the ipchains REDIRECT mechanism to redirect from one port to another inside the kernel (if ipchains is not available, then usually iptables is (see below)):
/sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080
This command instructs the system as follows: "Insert into the kernel's packet filtering the following as the first rule to check on incoming packets: If the protocol is TCP and the destination port is 80, redirect the packet to port 8080." Be aware that your kernel must be compiled with support for ipchains (virtually all stock kernels are). You must have the "ipchains" command-line utility installed (on RedHat the package is aptly named "ipchains"). You can run this command at any time, preferably just once since it inserts another copy of the rule every time you run it.
Once you set up this rule , a Linux 2.2 kernel redirects all data addressed to port 80 to a server such as Jetty running on port 8080.This includes all RedHat 6.x distros. Linux 2.4 kernels, for example, RedHat 7.1+, have a similar "iptables" facility.
Using iptables
On many Linux systems you can use the iptables REDIRECT mechanism to redirect from one port to another inside the kernel (if iptables is not available, then usually ipchains is (see above).
You need to add something like the following to the startup scripts or your firewall rules:
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
The underlying model of iptables is different from ipchains, so the forwarding normally happens only to packets originating off-box. You also need to allow incoming packets to port 8080 if you use iptables as a local firewall.
Be careful to place rules like this one early in your input chain. Such rules must precede any rule that accepts the packet, otherwise the redirection won't occur. You can insert as many rules as required if your server needs to listen on multiple ports, as for HTTPS.
Configuring Jetty's SetUID feature
This extension of org.eclipse.jetty.server.Server will make a JNI call to set the unix UID. This can be used to start the server as root so that privileged ports may be accessed and then switch to a non-root user for security.
Obtaining the code
The SetUID feature is among the Jetty 7 modules that remain at Codehaus, and it retains the mortbay.org package naming. It uses the Jetty 7 package modules at Eclipse. Jetty-hightide at Codehaus comes with jetty-setuid compiled and configured.
Alternatively, you can download the necessary files from the maven central repository:
- the setuid class jar is at jetty-setuid-java
- a jar file containing the jetty-setuid.xml file is at jetty-setuid-config
- the native library is at jetty-setuid-lib
- the jna jar is at jna
Copy the jetty-setuid.jar, and the jna jar to $jetty.home/lib/setuid. Also copy the .so file to $jetty.home/lib/setuid, but make sure you rename it "libsetuid.so". Unjar the config jar into $jetty.home.
Creating a Jetty Config File
Create a Jetty config file as follows:
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/jetty/configure.dtd"> <Configure id="Server" class="org.mortbay.setuid.SetUIDServer"> <Set name="umask">UMASK</Set> <Set name="uid">USERID</Set> </Configure>
Where you replace:
- UMASK with the umask setting you want the process to have. The umask will be set before the server is started.
- You must enter it in decimal. That is, if you want the effect of umask 022, you must use <Set name="umask">18</Set>.
- If you prefer hexadecimal, enter <Set name="umaskOctal">022</Set>.
- You can remove this line if you don't want to change this at runtime.
- Set it to 002 if you get an error to the effect that root does not have permission to write to the log file.
- USERID with the ID of the user you want the process to execute as once the ports have been opened.
For your convenience, if you downloaded jetty-hightide, you'll find one of these ready made in the $jetty.home/etc/jetty-setuid.xml.
The default behaviour of the SetUIDServer is to only open the Connectors as the privileged user, and then switch down to the non privileged user to do the rest of the startup sequence, including starting up the webapps. If your webapp needs to open privileged ports itself, you can configure the SetUIDServer to do the entire startup sequence as the privileged user. Use the
"startServerAsPrivileged" option to accomplish this (of course, this will mean that any files created will be owned by the root user, so be sure this is what you want), eg:
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/jetty/configure.dtd"> <Configure id="Server" class="org.mortbay.setuid.SetUIDServer"> <Set name="umask">UMASK</Set> <Set name="uid">USERID</Set> <Set name="startServerAsPrivileged">true</Set> </Configure>
Configuring jetty for setuid
The easiest way to do this is to edit the $jetty.home/start.ini file:
- uncomment --exec
- add -Djava.library.path=lib/setuid
- add an option for setuid: OPTIONS=Server,jsp,jmx,resources,websocket,ext,jta,plus,jdbc,annotations,setuid
- add etc/jetty-setuid.xml (or --pre=etc/jetty-setuid.xml for Jetty Hightide 7.6.5/8.1.5) as the first file in the configuration file section
You *must* ensure that the etc/jetty-setuid.xml (or --pre=etc/jetty-setuid.xml for Jetty Hightide 7.6.5/8.1.5) file is first in the list of config files.
Running Jetty as Root User
Having edited start.ini as advised above, to run jetty as the root user:
- Switch to the userid of your choice.
- Optionally set the umask of your choice.
- Enter the following command:
sudo java -jar start.jar
As the setuid feature relies on a native library, if the .so file available on the maven central repo at jetty-setuid-lib does not work in your environment, you may need to build it from source. Checkout the git://git.codehaus.org/jetty-project.git repository and modify the jetty-setuid/modules/native/pom.xml as necessary.
Using xinetd
With modern Linux flavours, inetd has a newer, better big brother xinetd, that you can use to redirect network traffic. Since xinetd is driven by text files, all you need is a text editor. For detailed information, see xinetd.
There are two ways to give xinetd instructions:
- Add a new service to etc/xinetd.conf
- Add a new file to the directory etc/xinetd.d
The format is the same; if you have a look at the file/directory, you will get the picture.
The following entry redirects all inward TCP traffic on port 80 to port 8888 on the local machine. You can also redirect to other machines for gimp proxying:
service my_redirector
{
type = UNLISTED
disable = no
socket_type = stream
protocol = tcp
user = root
wait = no
port = 80
redirect = 127.0.0.1 8888
log_type = FILE /tmp/somefile.log
}Caveats
- Space on either side of the '=' or it is ignored.
- type = UNLISTED means that the name of the service does not have to be in /etc/services, but you have to specify port and protocol. If you want to do use an existing service name, for example, http:
service http
{
disable = no
socket_type = stream
user = root
wait = no
redirect = 127.0.0.1 8888
log_type = FILE /tmp/somefile.log
}Have a browse in /etc/services and it will all become clear.
- Logging might present certain security problems, so you might want to leave that out.
- RHEL5 doesn't contain xinetd by default for reasons best known to themselves. yum install xinetd fixes that.
Xinetd is a hugely powerful and configurable system so expect to do some reading.
Using the Solaris 10 User Rights Management Framework
Solaris 10 provides a User Rights Management framework that can permit users and processes superuser-like abilities:
usermod -K defaultpriv=basic,net_privaddr myself
Now the myself user can bind to port 80.
Refer to the Solaris documentation for more information.