You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Markus Schönhaber <ma...@schoenhaber.de> on 2007/08/20 15:19:15 UTC

SSL port number (was: Re: Tomcat SSL/HTTPS Performance vs Apache)

Stephen Caine wrote:

> We use Tomcat SSL without Apache and it has been very stable.  The  
> only issue has been the using port 8443 as some firewalls block access.

Why don't you tell Tomcat to use the port you want it to use - for
example 443?

Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Markus Schönhaber <ma...@schoenhaber.de>.

Stephen Caine wrote:

>> Stephen Caine wrote:
>>
>>> A simple way to restart Tomcat from a non-root user would be nice.
>> Interesting wish.  A non-root user with the right to control my  
>> system services is approximately the last thing I would want to see.
> 
> Well, if you can set a 'user' option for startup, why not shutdown?

Because it would make no sense.
With the -user option you don't define who may start the jsvc binary but
the account the Java daemon spawned by jsvc will run as.

Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Stephen Caine <st...@commongrnd.com>.

Markus,

> Stephen Caine wrote:
>
>> A simple way to restart Tomcat from a non-root user would be nice.
>
> Interesting wish.  A non-root user with the right to control my  
> system services is approximately the last thing I would want to see.

Well, if you can set a 'user' option for startup, why not shutdown?

Stephen

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Markus Schönhaber <ma...@schoenhaber.de>.

Stephen Caine wrote:

> A simple way to restart Tomcat from a non-root user would be nice.

Interesting wish.
A non-root user with the right to control my system services is
approximately the last thing I would want to see.

Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Stephen Caine <st...@commongrnd.com>.

Well, since you asked...

> ... or use jsvc which lets Tomcat drop privileges after binding to  
> a privileged port and which is distributed with the Tomcat archives.

> Did you use it?
> did you like it?
> We have no reason but the port to give the tomcat-user any  
> privilege (even if only at booting); but i'm always interested in  
> improving our installations

A simple way to restart Tomcat from a non-root user would be nice.

Stephen


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Markus Schönhaber <ma...@schoenhaber.de>.

Lorenzo Cerini wrote:

> Markus Schönhaber wrote:

>> ... or use jsvc which lets Tomcat drop privileges after binding to a
>> privileged port and which is distributed with the Tomcat archives.
>>   
> Did you use it?
> did you like it?

Yes.
Yes.

> We have no reason but the port to give the tomcat-user any privilege 
> (even if only at
> booting); but i'm always interested in improving our installations

Letting Tomcat (or other Java applications) bind to privileged ports
without giving it permanent root rights, is AFAICT the main reason jsvc
exists.
http://commons.apache.org/daemon/index.html

Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Lorenzo Cerini <lo...@info-era.com>.

Markus Schönhaber wrote:
> Lorenzo Cerini schrieb:
>
>   
>> Markus Schönhaber wrote:
>>     
>>> Stephen Caine wrote:
>>>
>>>   
>>>       
>>>> We use Tomcat SSL without Apache and it has been very stable.  The  
>>>> only issue has been the using port 8443 as some firewalls block access.
>>>>     
>>>>         
>>> Why don't you tell Tomcat to use the port you want it to use - for
>>>   
>>>       
>> You cannot access port below 1024 with a user other than root on many 
>> *nix system.
>> You need to have a PAT somewhere.
>> Or run tomcat as root (not advisable).
>>     
>
> ... or use jsvc which lets Tomcat drop privileges after binding to a
> privileged port and which is distributed with the Tomcat archives.
>   
Did you use it?
did you like it?
We have no reason but the port to give the tomcat-user any privilege 
(even if only at
booting); but i'm always interested in improving our installations
L.

> Regards
>   mks
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Markus Schönhaber <ma...@schoenhaber.de>.

Lorenzo Cerini schrieb:

> Markus Schönhaber wrote:
>> Stephen Caine wrote:
>>
>>   
>>> We use Tomcat SSL without Apache and it has been very stable.  The  
>>> only issue has been the using port 8443 as some firewalls block access.
>>>     
>> Why don't you tell Tomcat to use the port you want it to use - for
>>   
> You cannot access port below 1024 with a user other than root on many 
> *nix system.
> You need to have a PAT somewhere.
> Or run tomcat as root (not advisable).

... or use jsvc which lets Tomcat drop privileges after binding to a
privileged port and which is distributed with the Tomcat archives.

Regards
  mks


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by David Smith <dn...@cornell.edu>.

The commons-daemon project (better known on this list as jsvc) will 
allow startup as a non-root user and access to ports below 1024.  See 
http://jakarta.apache.org/commons/daemon for details.

--David

Lorenzo Cerini wrote:

> Markus Schönhaber wrote:
>
>> Stephen Caine wrote:
>>
>>  
>>
>>> We use Tomcat SSL without Apache and it has been very stable.  The  
>>> only issue has been the using port 8443 as some firewalls block access.
>>>     
>>
>>
>> Why don't you tell Tomcat to use the port you want it to use - for
>>   
>
> You cannot access port below 1024 with a user other than root on many 
> *nix system.
> You need to have a PAT somewhere.
> Or run tomcat as root (not advisable).
> L.
>
>> example 443?
>>
>> Regards
>>   mks
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>   
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Lorenzo Cerini <lo...@info-era.com>.

Markus Schönhaber wrote:
> Stephen Caine wrote:
>
>   
>> We use Tomcat SSL without Apache and it has been very stable.  The  
>> only issue has been the using port 8443 as some firewalls block access.
>>     
>
> Why don't you tell Tomcat to use the port you want it to use - for
>   
You cannot access port below 1024 with a user other than root on many 
*nix system.
You need to have a PAT somewhere.
Or run tomcat as root (not advisable).
L.
> example 443?
>
> Regards
>   mks
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number

Posted by Markus Schönhaber <ma...@schoenhaber.de>.

Stephen Caine schrieb:

> I previously posted a question about port redirection which was  
> answered.  I was referring to that previous post.

Well, there seems to be something wrong with my crystal ball. I'll have
to get this damned thing checked ;-)


Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL port number (was: Re: Tomcat SSL/HTTPS Performance vs Apache)

Posted by Stephen Caine <st...@commongrnd.com>.

Markus,

I previously posted a question about port redirection which was  
answered.  I was referring to that previous post.

Stephen
>
>> We use Tomcat SSL without Apache and it has been very stable.   
>> The  only issue has been the using port 8443 as some firewalls  
>> block access.
>
> Why don't you tell Tomcat to use the port you want it to use -  
> forexample 443?

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org