• Post Reply Bookmark Topic Watch Topic
  • New Topic

tomcat on port 80?  RSS feed

 
John Mercier
Greenhorn
Posts: 28
Netbeans IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there a standard way to run tomcat on port 80 in Redhat Enterpise Linux? We currently have a iptables rule that redirects 80 to port 8080. The service can be opened from port 80 and 8080. Somehow this is more secure... Is this common? Is there a better way? Could the tomcat user be given permission to open port 80 instead?
 
Campbell Ritchie
Marshal
Posts: 56599
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I searched for it and found several hits. Here are two: 1 2. I shall leave it to you to work out whether the two links have identical contents ; they looked the same in the preview text. A couple more hits: 3 4. I hope they are of some help.
 
Tim Holloway
Saloon Keeper
Posts: 18800
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I clicked on the links and it took me to DuckDuckGo pages. Which tells me that Campbell is paranoid in these NSA-infested times. Unfortunately, DDG didn't forward to the actual articles.

However.

You CAN run Tomcat natively on Port 80. However, since any port below 4096 requires that the app listening on it be running privileged (root), that means that the entire Tomcat server and all its apps are a potential security risk.

There's also a wrapper program that's designed to do for Tomcat what Apache does for itself - start as root, open port 80, then run Tomcat under normal user context. It's available from the Tomcat download site.

Normally, I don't have Tomcat wired directly to port 80, since my services are more complex than just J2EE. So instead I have a reverse proxy fronting it. I had been using Apache for that, but recently moved to Nginx, which is easier to set up for such things. My front-line servers are now nginx and they bounce stuff to Apache, Tomcat and whatever other web servers I want to employ on the backend, doing any port and/or URL translations I need.

There's nothing wrong with using iptables as a minimal-overhead reverse proxy. I was doing that as well until I needed URL-sensitive routing of requests. The real security risk would be in running as root. The only difference that port translation makes is that attackers tend to home in on well-known service ports, but that's true for everything you expose on the Internet.
 
Andrew Polansky
Ranch Hand
Posts: 310
18
Linux MS IE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
John Mercier wrote: Could the tomcat user be given permission to open port 80 instead?


You can use authbind to allow Tomcat user to bind to port 80.

1. Install authbind
2. # touch /etc/authbind/byport/80
3. # chown tomcat_user:tomcat_group /etc/authbind/byport/80
4. # chmod 755 /etc/authbind/byport/80
5. Modify the startup script to use authbind.

For point 5, here is an example. However, from distro to distro, the startup script may look differently, but you should get an idea how to do this:
ORIGINAL CODE: exec "$PRGDIR"/"$EXECUTABLE" start "$@"
AUTHBIND CODE: exec authbind --deep "$PRGDIR"/"$EXECUTABLE" start "$@"
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!