You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Cheltenham, Chris" <cc...@philasd.org> on 2018/03/02 14:08:26 UTC
tomcat 8.5.28
Hello,
Has anyone set up tomcat as a non-root use?
I have set it up successfully however, I have to bound the non-root user
to port 8443.
What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and
out of 443
CentOS 7 by the way -
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
RE: tomcat 8.5.28
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Thanks Andre.
People have nothing better to do I suppose.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
Sent: Friday, March 2, 2018 9:49 AM
To: users@tomcat.apache.org
Subject: Re: tomcat 8.5.28
On 02.03.2018 15:41, Cheltenham, Chris wrote:
> Mark,
>
> Can you elaborate on what is going on there?
> What trolls?
> I don’t know what that means.
See : https://en.wikipedia.org/wiki/Internet_troll
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Friday, March 2, 2018 9:39 AM
> To: Tomcat Users List <us...@tomcat.apache.org>; Olaf Kock
> <to...@olafkock.de>
> Subject: Re: tomcat 8.5.28
>
> On 02/03/18 14:30, Olaf Kock wrote:
>>
>>
>> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>>> What?
>>
>> don't feed the trolls ;)
>
> Better still, unsubscribe them :)
>
> Just a reminder to everyone that the list does have moderators and we
> can be reached directly at users-owner@... should you need our help.
>
> I have unsubscribed this particular user.
>
> Mark
>
>
>>
>>> From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
>>> Sent: Friday, March 02, 2018 9:08 AM
>>> To: 'Tomcat Users List' <us...@tomcat.apache.org>
>>> Subject: tomcat 8.5.28
>>>
>>> Hello,
>>>
>>> Has anyone set up tomcat as a non-root use?
>>>
>>> I have set it up successfully however, I have to bound the non-root
>>> user to port 8443.
>>>
>>> What is the best way to reroute 8443 through 443?
>>> There are several options.
>>> Everything is set up at send to port 443 so I need to reroute 8443
>>> in and out of 443
>>>
>>> CentOS 7 by the way -
>> "what is the best (TM)?"
>> -> "It depends"
>>
>> Tomcat runs well on unprivileged ports, and depending on your OS,
>> familiarity with configuring it, other infrastructure etc, you have
>> different options. Are you familiar with them - as you mention that
>> there are many?
>>
>> You can
>> * use iptables redirection,
>> * have a proxy/webserver/loadbalancer in front,
>> * enable unprivileged binding to the port
>>
>> I default to the second option, because there's an Apache httpd or
>> another loadbalancer anyways, and it tended to be best documented
>> with regards to all of the specific SSL settings you might want to
>> have (the cipher-cocktail of the day), plus easily get LetsEncrypt certs.
>>
>> The others are valid as well - none is better, they're just different.
>>
>> As we were discussing documentation in another thread these days:
>> I've expected to find a solution to your question in the FAQ and
>> wanted to link to it - but didn't find any entry there. There's a
>> patch to go on my list, with no ETA though. Maybe a side-task during
>> that Manchester Tomcat training.
>>
>> Olaf
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 8.5.28
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 02.03.2018 15:41, Cheltenham, Chris wrote:
> Mark,
>
> Can you elaborate on what is going on there?
> What trolls?
> I don’t know what that means.
See : https://en.wikipedia.org/wiki/Internet_troll
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Friday, March 2, 2018 9:39 AM
> To: Tomcat Users List <us...@tomcat.apache.org>; Olaf Kock
> <to...@olafkock.de>
> Subject: Re: tomcat 8.5.28
>
> On 02/03/18 14:30, Olaf Kock wrote:
>>
>>
>> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>>> What?
>>
>> don't feed the trolls ;)
>
> Better still, unsubscribe them :)
>
> Just a reminder to everyone that the list does have moderators and we can be
> reached directly at users-owner@... should you need our help.
>
> I have unsubscribed this particular user.
>
> Mark
>
>
>>
>>> From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
>>> Sent: Friday, March 02, 2018 9:08 AM
>>> To: 'Tomcat Users List' <us...@tomcat.apache.org>
>>> Subject: tomcat 8.5.28
>>>
>>> Hello,
>>>
>>> Has anyone set up tomcat as a non-root use?
>>>
>>> I have set it up successfully however, I have to bound the non-root
>>> user to port 8443.
>>>
>>> What is the best way to reroute 8443 through 443?
>>> There are several options.
>>> Everything is set up at send to port 443 so I need to reroute 8443 in
>>> and out of 443
>>>
>>> CentOS 7 by the way -
>> "what is the best (TM)?"
>> -> "It depends"
>>
>> Tomcat runs well on unprivileged ports, and depending on your OS,
>> familiarity with configuring it, other infrastructure etc, you have
>> different options. Are you familiar with them - as you mention that
>> there are many?
>>
>> You can
>> * use iptables redirection,
>> * have a proxy/webserver/loadbalancer in front,
>> * enable unprivileged binding to the port
>>
>> I default to the second option, because there's an Apache httpd or
>> another loadbalancer anyways, and it tended to be best documented with
>> regards to all of the specific SSL settings you might want to have
>> (the cipher-cocktail of the day), plus easily get LetsEncrypt certs.
>>
>> The others are valid as well - none is better, they're just different.
>>
>> As we were discussing documentation in another thread these days: I've
>> expected to find a solution to your question in the FAQ and wanted to
>> link to it - but didn't find any entry there. There's a patch to go on
>> my list, with no ETA though. Maybe a side-task during that Manchester
>> Tomcat training.
>>
>> Olaf
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 8.5.28
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Mark,
Can you elaborate on what is going on there?
What trolls?
I don’t know what that means.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Friday, March 2, 2018 9:39 AM
To: Tomcat Users List <us...@tomcat.apache.org>; Olaf Kock
<to...@olafkock.de>
Subject: Re: tomcat 8.5.28
On 02/03/18 14:30, Olaf Kock wrote:
>
>
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> What?
>
> don't feed the trolls ;)
Better still, unsubscribe them :)
Just a reminder to everyone that the list does have moderators and we can be
reached directly at users-owner@... should you need our help.
I have unsubscribed this particular user.
Mark
>
>> From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM
>> To: 'Tomcat Users List' <us...@tomcat.apache.org>
>> Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root
>> user to port 8443.
>>
>> What is the best way to reroute 8443 through 443?
>> There are several options.
>> Everything is set up at send to port 443 so I need to reroute 8443 in
>> and out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?"
> -> "It depends"
>
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
>
> You can
> * use iptables redirection,
> * have a proxy/webserver/loadbalancer in front,
> * enable unprivileged binding to the port
>
> I default to the second option, because there's an Apache httpd or
> another loadbalancer anyways, and it tended to be best documented with
> regards to all of the specific SSL settings you might want to have
> (the cipher-cocktail of the day), plus easily get LetsEncrypt certs.
>
> The others are valid as well - none is better, they're just different.
>
> As we were discussing documentation in another thread these days: I've
> expected to find a solution to your question in the FAQ and wanted to
> link to it - but didn't find any entry there. There's a patch to go on
> my list, with no ETA though. Maybe a side-task during that Manchester
> Tomcat training.
>
> Olaf
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 8.5.28
Posted by Mark Thomas <ma...@apache.org>.
On 02/03/18 14:30, Olaf Kock wrote:
>
>
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> What?
>
> don't feed the trolls ;)
Better still, unsubscribe them :)
Just a reminder to everyone that the list does have moderators and we
can be reached directly at users-owner@... should you need our help.
I have unsubscribed this particular user.
Mark
>
>> From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM
>> To: 'Tomcat Users List' <us...@tomcat.apache.org>
>> Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root user
>> to port 8443.
>>
>> What is the best way to reroute 8443 through 443?
>> There are several options.
>> Everything is set up at send to port 443 so I need to reroute 8443 in and
>> out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?"
> -> "It depends"
>
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
>
> You can
> * use iptables redirection,
> * have a proxy/webserver/loadbalancer in front,
> * enable unprivileged binding to the port
>
> I default to the second option, because there's an Apache httpd or
> another loadbalancer anyways, and it tended to be best documented with
> regards to all of the specific SSL settings you might want to have (the
> cipher-cocktail of the day), plus easily get LetsEncrypt certs.
>
> The others are valid as well - none is better, they're just different.
>
> As we were discussing documentation in another thread these days: I've
> expected to find a solution to your question in the FAQ and wanted to
> link to it - but didn't find any entry there. There's a patch to go on
> my list, with no ETA though. Maybe a side-task during that Manchester
> Tomcat training.
>
> Olaf
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 8.5.28
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Thank You Sir.
I will go through the wiki and try it out.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, March 2, 2018 11:55 AM
To: users@tomcat.apache.org
Subject: Re: tomcat 8.5.28
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Olaf,
On 3/2/18 9:30 AM, Olaf Kock wrote:
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM To: 'Tomcat Users List'
>> <us...@tomcat.apache.org> Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root
>> user to port 8443.
>>
>> What is the best way to reroute 8443 through 443? There are several
>> options. Everything is set up at send to port 443 so I need to
>> reroute 8443 in and out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?" -> "It depends"
>
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
>
> You can * use iptables redirection, * have a
> proxy/webserver/loadbalancer in front, * enable unprivileged binding
> to the port
You can also use jsvc which can:
* bind to privileged ports, then drop privileges
* monitor and restart dead Tomcat processes
* send a signal to rotate logs (like stdout!)
I use a reverse-proxy for everything (and I'd recommend that everyone doing
anything in the "real world" do the same), so I don't need such things, but
I think I'd probably want to use jsvc for this purpose because it's fairly
self-contained PLUS you get the auto-restart capabilities should you want
them.
> As we were discussing documentation in another thread these days:
> I've expected to find a solution to your question in the FAQ and
> wanted to link to it - but didn't find any entry there. There's a
> patch to go on my list, with no ETA though. Maybe a side-task during
> that Manchester Tomcat training.
It's in the Wiki, not the user's guide:
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_priv
ileges.3F
It doesn't even come up in Google, so it's no wonder that nobody can find
it.
We should probably roll some of this stuff into the user's guide so it's in
a better place. The Wiki is ... not a great place to put things IMO.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqZgdgACgkQHPApP6U8
pFiGERAAoE7DTJUDhCMMTVT12j1tR5TS/0+TDltXlaT/CWFJ1ulCv2l8Oix4A7RH
oFALw0gYjZg9/WPZd73CEtN5dfKHSffll18mJcSIpaJ2uf2sx+nbcqMpGOxrkQ5x
osM9Vj/X7QTAXfBABwffAzw12kw5QpfwdxfapQS9KkK2U4gvtIB1oo1WCBL+yziA
rKA3mA6IBKIGWk8u9BhbHJeTnmL4mPaIZqLep+M5CgOykfAu7TYdvMViovOxWCTv
o5kB6xsuhZ88zdmkGJ2BGFokl0UzKtcYic3IN/s4KqcU2fM+2UJrSSHocpxW3Nfw
ppmHGp4XaKW6oAFu4VjDDnWjnP6nDs5lH1VLmIySDm8B7nXpqbC7ML/rBde1VFMZ
jVbUojbxJ+jIpXs6jg6nxTCRh/PssvWEQ/3e0Ank+xfJ3s4ay+kXYlP8M4IL8VFV
M8tsXY8pAmknh9BnGV2fz0R49+Ir8aJEBRrYm1TLKnC8L9O/hqqlOEftqikYajvD
qJlYKCmeZfDYdFkKR1TcgcC1kOpZkgdkSCc77NEBM0+y5ln/shDUCX5MkxrHe/zE
leqntUfdWVhsfeG84MR5zmFbcWcNYNVov6A/7cW6Sb5Rlv7PWIcruyTgTEIotqwd
DPFNk54910K3yy4UAyDgBgkiZTqz8k2eWx4W7FGaaMD2c9xCq50=
=9WCp
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 8.5.28
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Olaf,
On 3/2/18 9:30 AM, Olaf Kock wrote:
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM To: 'Tomcat Users List'
>> <us...@tomcat.apache.org> Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the
>> non-root user to port 8443.
>>
>> What is the best way to reroute 8443 through 443? There are
>> several options. Everything is set up at send to port 443 so I
>> need to reroute 8443 in and out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?" -> "It depends"
>
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you
> have different options. Are you familiar with them - as you mention
> that there are many?
>
> You can * use iptables redirection, * have a
> proxy/webserver/loadbalancer in front, * enable unprivileged
> binding to the port
You can also use jsvc which can:
* bind to privileged ports, then drop privileges
* monitor and restart dead Tomcat processes
* send a signal to rotate logs (like stdout!)
I use a reverse-proxy for everything (and I'd recommend that everyone
doing anything in the "real world" do the same), so I don't need such
things, but I think I'd probably want to use jsvc for this purpose
because it's fairly self-contained PLUS you get the auto-restart
capabilities should you want them.
> As we were discussing documentation in another thread these days:
> I've expected to find a solution to your question in the FAQ and
> wanted to link to it - but didn't find any entry there. There's a
> patch to go on my list, with no ETA though. Maybe a side-task
> during that Manchester Tomcat training.
It's in the Wiki, not the user's guide:
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_priv
ileges.3F
It doesn't even come up in Google, so it's no wonder that nobody can
find it.
We should probably roll some of this stuff into the user's guide so
it's in a better place. The Wiki is ... not a great place to put
things IMO.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqZgdgACgkQHPApP6U8
pFiGERAAoE7DTJUDhCMMTVT12j1tR5TS/0+TDltXlaT/CWFJ1ulCv2l8Oix4A7RH
oFALw0gYjZg9/WPZd73CEtN5dfKHSffll18mJcSIpaJ2uf2sx+nbcqMpGOxrkQ5x
osM9Vj/X7QTAXfBABwffAzw12kw5QpfwdxfapQS9KkK2U4gvtIB1oo1WCBL+yziA
rKA3mA6IBKIGWk8u9BhbHJeTnmL4mPaIZqLep+M5CgOykfAu7TYdvMViovOxWCTv
o5kB6xsuhZ88zdmkGJ2BGFokl0UzKtcYic3IN/s4KqcU2fM+2UJrSSHocpxW3Nfw
ppmHGp4XaKW6oAFu4VjDDnWjnP6nDs5lH1VLmIySDm8B7nXpqbC7ML/rBde1VFMZ
jVbUojbxJ+jIpXs6jg6nxTCRh/PssvWEQ/3e0Ank+xfJ3s4ay+kXYlP8M4IL8VFV
M8tsXY8pAmknh9BnGV2fz0R49+Ir8aJEBRrYm1TLKnC8L9O/hqqlOEftqikYajvD
qJlYKCmeZfDYdFkKR1TcgcC1kOpZkgdkSCc77NEBM0+y5ln/shDUCX5MkxrHe/zE
leqntUfdWVhsfeG84MR5zmFbcWcNYNVov6A/7cW6Sb5Rlv7PWIcruyTgTEIotqwd
DPFNk54910K3yy4UAyDgBgkiZTqz8k2eWx4W7FGaaMD2c9xCq50=
=9WCp
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 8.5.28
Posted by Olaf Kock <to...@olafkock.de>.
On 02.03.2018 15:22, Cheltenham, Chris wrote:
> What?
don't feed the trolls ;)
> From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
> Sent: Friday, March 02, 2018 9:08 AM
> To: 'Tomcat Users List' <us...@tomcat.apache.org>
> Subject: tomcat 8.5.28
>
> Hello,
>
> Has anyone set up tomcat as a non-root use?
>
> I have set it up successfully however, I have to bound the non-root user
> to port 8443.
>
> What is the best way to reroute 8443 through 443?
> There are several options.
> Everything is set up at send to port 443 so I need to reroute 8443 in and
> out of 443
>
> CentOS 7 by the way -
"what is the best (TM)?"
-> "It depends"
Tomcat runs well on unprivileged ports, and depending on your OS,
familiarity with configuring it, other infrastructure etc, you have
different options. Are you familiar with them - as you mention that
there are many?
You can
* use iptables redirection,
* have a proxy/webserver/loadbalancer in front,
* enable unprivileged binding to the port
I default to the second option, because there's an Apache httpd or
another loadbalancer anyways, and it tended to be best documented with
regards to all of the specific SSL settings you might want to have (the
cipher-cocktail of the day), plus easily get LetsEncrypt certs.
The others are valid as well - none is better, they're just different.
As we were discussing documentation in another thread these days: I've
expected to find a solution to your question in the FAQ and wanted to
link to it - but didn't find any entry there. There's a patch to go on
my list, with no ETA though. Maybe a side-task during that Manchester
Tomcat training.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 8.5.28
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
What?
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: THOMAS, NEFERTA C [mailto:nt1698@att.com]
Sent: Friday, March 2, 2018 9:16 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Cc: ccheltenham-ext@philasd.org
Subject: RE: tomcat 8.5.28
Please paused on all your attempts none of this sounds above board so many
issues and no one has a point of contact to talk to or whom to I should
go to please don't proceed until I have spoken to a software specialist.
From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' <us...@tomcat.apache.org>
Subject: tomcat 8.5.28
Hello,
Has anyone set up tomcat as a non-root use?
I have set it up successfully however, I have to bound the non-root user
to port 8443.
What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and
out of 443
CentOS 7 by the way -
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 8.5.28
Posted by "THOMAS, NEFERTA C" <nt...@att.com>.
Please paused on all your attempts none of this sounds above board so many issues and no one has a point of contact to talk to or whom to I should go to please don't proceed until I have spoken to a software specialist.
From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' <us...@tomcat.apache.org>
Subject: tomcat 8.5.28
Hello,
Has anyone set up tomcat as a non-root use?
I have set it up successfully however, I have to bound the non-root user to port 8443.
What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and out of 443
CentOS 7 by the way -
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
RE: tomcat 8.5.28
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
All,
I am not sure is this out of scope with Tomcat's policies?
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
Sent: Friday, March 2, 2018 10:43 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: RE: tomcat 8.5.28
Thanks My friend , I have tried that without success.
[root@cjc logs]# iptables -t nat -I PREROUTING -p tcp --dport 443 -j
REDIRECT --to-port 8443 [root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc
logs]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc
logs]# curl -k https://10.32.32.230:443
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc
logs]#
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Johan Compagner [mailto:jcompagner@servoy.com]
Sent: Friday, March 2, 2018 10:23 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: tomcat 8.5.28
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443
then you can save the iptables so they stick after reboot:
sudo service iptables save
On 2 March 2018 at 15:08, Cheltenham, Chris <cc...@philasd.org>
wrote:
> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root
> user to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in
> and out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
--
Johan Compagner
Servoy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 8.5.28
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Thanks My friend , I have tried that without success.
[root@cjc logs]# iptables -t nat -I PREROUTING -p tcp --dport 443 -j
REDIRECT --to-port 8443
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]# curl -k https://10.32.32.230:443
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]#
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Johan Compagner [mailto:jcompagner@servoy.com]
Sent: Friday, March 2, 2018 10:23 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: tomcat 8.5.28
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443
then you can save the iptables so they stick after reboot:
sudo service iptables save
On 2 March 2018 at 15:08, Cheltenham, Chris <cc...@philasd.org>
wrote:
> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root
> user to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in
> and out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
--
Johan Compagner
Servoy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 8.5.28
Posted by Johan Compagner <jc...@servoy.com>.
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443
then you can save the iptables so they stick after reboot:
sudo service iptables save
On 2 March 2018 at 15:08, Cheltenham, Chris <cc...@philasd.org>
wrote:
> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root user
> to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in and
> out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
--
Johan Compagner
Servoy