You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Cheltenham, Chris" <cc...@philasd.org> on 2018/03/13 17:26:19 UTC
Binding a non root user to port 443
Hello Everyone,
Is there a way to redirect ports 80 and 443 to 8443.
I have a non root user but I cannot use CentOS firewalld nor iptables.
I have tried these things.
<Connector port="443" protocol="HTTP/1.1"
enableLookups="false"
redirectPort="8443" />
But it still fails.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Thanks Chris, I don’t know what that is , JSVC.
I will look into it.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Tuesday, March 13, 2018 2:03 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Binding a non root user to port 443
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 3/13/18 1:26 PM, Cheltenham, Chris wrote:
> Is there a way to redirect ports 80 and 443 to 8443.
>
> I have a non root user but I cannot use CentOS firewalld nor iptables.
How about authbind?
> I have tried these things.
>
> <Connectorport="443"protocol="HTTP/1.1" enableLookups="false"
> redirectPort="8443"/>
The redirectPort here is useless (it's for redirecting non-secure traffic to
a secure port). Here, you are already secure (and redirecting to 8443 won't
go anywhere. Just remove the attribute.
> But it still fails.
This will fail on most *NIXs because non-root can't bind to ports below
1024.
Are you able to run jsvc? It will allow you to bind to ports and then drop
privileges.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqoEk4dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFie3Q/9EQNO8FUrJOT1RvK1
L1/kh37xsg6P0QwQJmPf2FT1jyw1485BHU6v1WlOAj65RskoRj0YDgCXb4EKlKqm
Tla1205+El0ZjIKzKVUnipqmmIDcGgaHq+T1BV4L3KSKHa4t4Kf1c42xkuXA0XkJ
bV2kCbZU29Utz82hNZmOK86X2RwveoNipPMDjJQFhm/inikE8tYhhl4qsoTPnpEW
FQMB3+KkPvtdju2B9vW2mv85z6kBlDA3A4DfhOsnjJ0mBkcICGogRJ8Y1qMAfnGm
z+4vH9Lf83Qdr3XNW/il4Viv5DjM9KpO5oZZuSSGdax0wMyqgY/dgEVPc0NSRkAj
z+uhAXSjx03DGCmSpcO8txRT3f/uLiRRz5RxH9s4U1eLbXXdqhpZaum4x0uLhzC5
t3+GKGCtE5pqvLg6lyikKHF8SQjS1EGL1Za3Nsqi0Yy09I8QHoHuTRP1MyobGB7p
h191divVIstWkpcAtO4rkTw5dWepGGFUBmxrJQ60zMMOgYlXTYWpbQAqjKmQcNd/
cQpMhSbKBEFOYjEvlF4d7afAsF/6ir3/Ye2oLzmdADvzgMBZzRkSnlVZc7X4m60C
d8c9S6NIwVhZuio2ydZ1wHQ73bXoxyt+wO6+3AiE0ixYH/9IC8hbYQwOCSjXm6ti
05E7jxsIcHs2su73QTyy0rUIkdQ=
=XLrN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Thank You Olaf
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
----- Original Message -----
From: "Olaf Kock" <to...@olafkock.de>
To: "users" <us...@tomcat.apache.org>
Sent: Friday, March 16, 2018 7:21:26 AM
Subject: Re: Binding a non root user to port 443
Chris,
On 15.03.2018 13:34, Cheltenham, Chris wrote:
> Andre,
>
> You probably missed where I had mentioned the infrastructure group poo poo'd
> altering iptables for whatever reason.
>
> Here is what I think are my 5 best choices for running tomcat as a non root
> user on a privileged port.
>
> 1) redirect 443 to 8443 on the load balancer. VIP side.
>
> 2) iptables
>
> 3) jsvc
>
> 4) authbind
>
> 5) set cap
>
> I do NOT have control of the VIP so I can only make suggestions based on
> what I have control of.
I don't understand. I always make suggestions for areas that I don't
have control of. It'd be frightening if I didn't, because that would
mean that I'd control too much. IMHO 1 is the best point: The
loadbalancer balances something anyway - you'd just document the
application it should balance and the ports it should be available
under. You probably can't tell them they need to bind another port than
443 /on their frontend/, but you should certainly be able to tell them
where your application lives that they should connect to in the backend.
That's a configuration they'd have to make anyway and I hope they'd not
be opposed to entering a port number.
> Therefore, the latter three are what I am looking into.
>
> I do not like set cap because it opens up ALL the privileged ports to a
> binary , such as java or http.
> Authbind is an install of a potentially buggy or unsecure software.
another reason for 1...
> I am not really sure how my post warranted so much attention but I
> appreciate it.
well, you posted a question, gave the background - that's what this list
is for.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by Olaf Kock <to...@olafkock.de>.
Chris,
On 15.03.2018 13:34, Cheltenham, Chris wrote:
> Andre,
>
> You probably missed where I had mentioned the infrastructure group poo poo'd
> altering iptables for whatever reason.
>
> Here is what I think are my 5 best choices for running tomcat as a non root
> user on a privileged port.
>
> 1) redirect 443 to 8443 on the load balancer. VIP side.
>
> 2) iptables
>
> 3) jsvc
>
> 4) authbind
>
> 5) set cap
>
> I do NOT have control of the VIP so I can only make suggestions based on
> what I have control of.
I don't understand. I always make suggestions for areas that I don't
have control of. It'd be frightening if I didn't, because that would
mean that I'd control too much. IMHO 1 is the best point: The
loadbalancer balances something anyway - you'd just document the
application it should balance and the ports it should be available
under. You probably can't tell them they need to bind another port than
443 /on their frontend/, but you should certainly be able to tell them
where your application lives that they should connect to in the backend.
That's a configuration they'd have to make anyway and I hope they'd not
be opposed to entering a port number.
> Therefore, the latter three are what I am looking into.
>
> I do not like set cap because it opens up ALL the privileged ports to a
> binary , such as java or http.
> Authbind is an install of a potentially buggy or unsecure software.
another reason for 1...
> I am not really sure how my post warranted so much attention but I
> appreciate it.
well, you posted a question, gave the background - that's what this list
is for.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Andre,
You probably missed where I had mentioned the infrastructure group poo poo'd
altering iptables for whatever reason.
Here is what I think are my 5 best choices for running tomcat as a non root
user on a privileged port.
1) redirect 443 to 8443 on the load balancer. VIP side.
2) iptables
3) jsvc
4) authbind
5) set cap
I do NOT have control of the VIP so I can only make suggestions based on
what I have control of.
Therefore, the latter three are what I am looking into.
I do not like set cap because it opens up ALL the privileged ports to a
binary , such as java or http.
Authbind is an install of a potentially buggy or unsecure software.
I am not really sure how my post warranted so much attention but I
appreciate it.
Thanks
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
Sent: Wednesday, March 14, 2018 6:45 PM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443
Hi.
On 14.03.2018 18:21, Cheltenham, Chris wrote:
> Ok , I thank you guys for being so helpful.
> I would never expect that.
>
Speaking as a user myself, I would not be so surprised. This list is quite
exceptional in terms of the general quality of the people trying to answer
user questions, and in terms of the general quality of the answers
themselves. The contributors here, in general, will try to respond as well
as they can, and to really help resolving user issues to the best of their
abilities, even when they do not stricly concern tomcat per se (like your
issue).
(Full disclosure : I am occasionally one of these guys, although my own
qualifications pale somewhat in comparison to most of the others.)
As for the help supplicant, there are only a few rules, and they are listed
here :
http://tomcat.apache.org/lists.html#tomcat-users
> Basically I am have tomcat running on port 8443 as user tomcat.
> I am trying to find ways to redirect them to 443 WITHOUT using
> iptables or the firewall or the load balancer.
> I have no control over any of those tools and I cannot use a reverse
> proxy wither because I do not have control of apache.
>
> I think that leaves me basically with authbind or set cap , locally.
>
> However, I cannot get either to work.
>
> Set cap seemed easiest.
>
> You start the tomcat server and then I ran this setcap
> cap_net_bind_service=+ep /opt/jdk1.8.0_161/jre/bin/java
>
> So now what?
>
> How does it know to bind java process to 443?
> $netstat -an says 443 is not open and it does not work using curl.
>
> That is where I am right now.
>
What we cannot do here is resolving organisational issues within your work
environment.
Without entering into the reasons why you cannot ask whoever is responsible
for whatever is in front of tomcat to really help you and direct these
client calls to port 8443 of your server (although that would in principle
the kind of thing for which they are paid), I am wondering why you do not
try the iptables method outlined at :
https://wiki.apache.org/httpd/NonRootPortBinding
-> Alternative method (iptables/linux): NAT
If you can run the setcap command, it means that you have root access to
your server, so you can run the iptables command also. And it seems simpler
(and with less side-effects) than any of the other methods, in this case.
(On the other hand, if you do not have root access, then pretty much any
command or utility that would allow you to redirect port 443 to something
else, will not be accessible to you either; because if you could do that,
then what would be the point of protecting these lower ports ?).
I just tried this (as root) on a Linux Debian server, which is running
tomcat on its default HTTP port 8080 :
# iptables -t nat -A PREROUTING -d 127.0.0.1 -p tcp --dport 500 -m
addrtype --dst-type LOCAL -j DNAT --to-destination 127.0.0.1:8080 #
iptables -t nat -A OUTPUT -d 127.0.0.1 -p tcp --dport 500 -m
addrtype --dst-type LOCAL -j DNAT --to-destination 127.0.0.1:8080
and then, *from the same host*, I can access "http://locahost:500/" and get
the tomcat default welcome page, without changing the Tomcat configuration.
(In the above, I just used the origin port 500, because it is below 1024,
and happened to be unused on my server.)
To make this work in your case and from outside the host itself,
- replace all "127.0.0.1" above, by the external IP address of your server
(which you can see via "ipconfig -a")
- replace all "500" by "443"
- replace all "8080" by "8443"
As per above, these rules are temporary and will not survive a system
reboot.
However, if you do a "man iptables", you should find somewhere the way to
make these rules persistent. (Or search Google for "make iptables
permanent").
tips :
- to see if these rules have "stuck", use the command "iptables -L -t
dnat -n"
- to delete the above rules, use exactly the same command as for setting
them, but change the "-A" into "-D"
- rules implemented via iptables will not be visible when you do
"netstat -pan --tcp | grep LISTEN", because there is not really any process
listening on the port which you redirect in that way. iptables works at a
lower level, modifying the ip packets themselves as they enter and exit your
system. tomcat still listens on its original port, and still thinks it is
reading from and writing to that same port (kind of).
You may also have to be careful that your application is never sending back
to the clients, a link which would contain the port :8443, or that would
seriously confuse everything.
And again, if you do not have root access to your tomcat host, AND you
cannot get help from the people managing whatever is in front of your
server, then you are in an impossible situation, and you should probably
report this to your managers and ask them for help.
In French we say : "à l'impossible, nul n'est tenu"
>
>
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
>
> -----Original Message-----
> From: Olaf Kock [mailto:tomcat@olafkock.de]
> Sent: Wednesday, March 14, 2018 11:59 AM
> To: users@tomcat.apache.org
> Subject: Re: Binding a non root user to port 443
>
>
> On 14.03.2018 16:02, Cheltenham, Chris wrote:
>> Chris,
>>
>> I am kind of lost. I am not sure what you guys are asking.
>> If I asked the same thing twice its because whatever was sent by
>> someone else other than you did not work or I cannot use.
>
> well, I'm also lost. It would help to know what didn't work for you
> and, if possible, why. It doesn't help anyone if we're giving the same
> answers again, not knowing any of the aspects that need to be changed,
> or anything about what you can't use.
>
> Olaf
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Hi.
On 14.03.2018 18:21, Cheltenham, Chris wrote:
> Ok , I thank you guys for being so helpful.
> I would never expect that.
>
Speaking as a user myself, I would not be so surprised. This list is quite exceptional in
terms of the general quality of the people trying to answer user questions, and in terms
of the general quality of the answers themselves. The contributors here, in general, will
try to respond as well as they can, and to really help resolving user issues to the best
of their abilities, even when they do not stricly concern tomcat per se (like your issue).
(Full disclosure : I am occasionally one of these guys, although my own qualifications
pale somewhat in comparison to most of the others.)
As for the help supplicant, there are only a few rules, and they are listed here :
http://tomcat.apache.org/lists.html#tomcat-users
> Basically I am have tomcat running on port 8443 as user tomcat.
> I am trying to find ways to redirect them to 443 WITHOUT using iptables or
> the firewall or the load balancer.
> I have no control over any of those tools and I cannot use a reverse proxy
> wither because I do not have control of apache.
>
> I think that leaves me basically with authbind or set cap , locally.
>
> However, I cannot get either to work.
>
> Set cap seemed easiest.
>
> You start the tomcat server and then I ran this
> setcap cap_net_bind_service=+ep /opt/jdk1.8.0_161/jre/bin/java
>
> So now what?
>
> How does it know to bind java process to 443?
> $netstat -an says 443 is not open and it does not work using curl.
>
> That is where I am right now.
>
What we cannot do here is resolving organisational issues within your work environment.
Without entering into the reasons why you cannot ask whoever is responsible for whatever
is in front of tomcat to really help you and direct these client calls to port 8443 of
your server (although that would in principle the kind of thing for which they are paid),
I am wondering why you do not try the iptables method outlined at :
https://wiki.apache.org/httpd/NonRootPortBinding
-> Alternative method (iptables/linux): NAT
If you can run the setcap command, it means that you have root access to your server, so
you can run the iptables command also. And it seems simpler (and with less side-effects)
than any of the other methods, in this case.
(On the other hand, if you do not have root access, then pretty much any command or
utility that would allow you to redirect port 443 to something else, will not be
accessible to you either; because if you could do that, then what would be the point of
protecting these lower ports ?).
I just tried this (as root) on a Linux Debian server, which is running tomcat on its
default HTTP port 8080 :
# iptables -t nat -A PREROUTING -d 127.0.0.1 -p tcp --dport 500 -m addrtype --dst-type
LOCAL -j DNAT --to-destination 127.0.0.1:8080
# iptables -t nat -A OUTPUT -d 127.0.0.1 -p tcp --dport 500 -m addrtype --dst-type LOCAL
-j DNAT --to-destination 127.0.0.1:8080
and then, *from the same host*, I can access "http://locahost:500/" and get the tomcat
default welcome page, without changing the Tomcat configuration.
(In the above, I just used the origin port 500, because it is below 1024, and happened to
be unused on my server.)
To make this work in your case and from outside the host itself,
- replace all "127.0.0.1" above, by the external IP address of your server (which you can
see via "ipconfig -a")
- replace all "500" by "443"
- replace all "8080" by "8443"
As per above, these rules are temporary and will not survive a system reboot.
However, if you do a "man iptables", you should find somewhere the way to make these rules
persistent. (Or search Google for "make iptables permanent").
tips :
- to see if these rules have "stuck", use the command "iptables -L -t dnat -n"
- to delete the above rules, use exactly the same command as for setting them, but change
the "-A" into "-D"
- rules implemented via iptables will not be visible when you do "netstat -pan --tcp |
grep LISTEN", because there is not really any process listening on the port which you
redirect in that way. iptables works at a lower level, modifying the ip packets themselves
as they enter and exit your system. tomcat still listens on its original port, and still
thinks it is reading from and writing to that same port (kind of).
You may also have to be careful that your application is never sending back to the
clients, a link which would contain the port :8443, or that would seriously confuse
everything.
And again, if you do not have root access to your tomcat host, AND you cannot get help
from the people managing whatever is in front of your server, then you are in an
impossible situation, and you should probably report this to your managers and ask them
for help.
In French we say : "à l'impossible, nul n'est tenu"
>
>
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
>
> -----Original Message-----
> From: Olaf Kock [mailto:tomcat@olafkock.de]
> Sent: Wednesday, March 14, 2018 11:59 AM
> To: users@tomcat.apache.org
> Subject: Re: Binding a non root user to port 443
>
>
> On 14.03.2018 16:02, Cheltenham, Chris wrote:
>> Chris,
>>
>> I am kind of lost. I am not sure what you guys are asking.
>> If I asked the same thing twice its because whatever was sent by
>> someone else other than you did not work or I cannot use.
>
> well, I'm also lost. It would help to know what didn't work for you and, if
> possible, why. It doesn't help anyone if we're giving the same answers
> again, not knowing any of the aspects that need to be changed, or anything
> about what you can't use.
>
> Olaf
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Ok , I thank you guys for being so helpful.
I would never expect that.
Basically I am have tomcat running on port 8443 as user tomcat.
I am trying to find ways to redirect them to 443 WITHOUT using iptables or
the firewall or the load balancer.
I have no control over any of those tools and I cannot use a reverse proxy
wither because I do not have control of apache.
I think that leaves me basically with authbind or set cap , locally.
However, I cannot get either to work.
Set cap seemed easiest.
You start the tomcat server and then I ran this
setcap cap_net_bind_service=+ep /opt/jdk1.8.0_161/jre/bin/java
So now what?
How does it know to bind java process to 443?
$netstat -an says 443 is not open and it does not work using curl.
That is where I am right now.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Olaf Kock [mailto:tomcat@olafkock.de]
Sent: Wednesday, March 14, 2018 11:59 AM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443
On 14.03.2018 16:02, Cheltenham, Chris wrote:
> Chris,
>
> I am kind of lost. I am not sure what you guys are asking.
> If I asked the same thing twice its because whatever was sent by
> someone else other than you did not work or I cannot use.
well, I'm also lost. It would help to know what didn't work for you and, if
possible, why. It doesn't help anyone if we're giving the same answers
again, not knowing any of the aspects that need to be changed, or anything
about what you can't use.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by Olaf Kock <to...@olafkock.de>.
On 14.03.2018 16:02, Cheltenham, Chris wrote:
> Chris,
>
> I am kind of lost. I am not sure what you guys are asking.
> If I asked the same thing twice its because whatever was sent by someone
> else other than you did not work or I cannot use.
well, I'm also lost. It would help to know what didn't work for you and,
if possible, why. It doesn't help anyone if we're giving the same
answers again, not knowing any of the aspects that need to be changed,
or anything about what you can't use.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Chris,
I am kind of lost. I am not sure what you guys are asking.
If I asked the same thing twice its because whatever was sent by someone
else other than you did not work or I cannot use.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, March 14, 2018 10:31 AM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 3/14/18 10:02 AM, Cheltenham, Chris wrote:
> Oh this thread was long ago and answered by someone else.
You asked the same question on 2018-03-02, and got many replies including
the ones I gave in this thread. Actually, I replied as well.
Previous thread: https://markmail.org/thread/bfct4jm5saotfmsq
Current thread: https://markmail.org/thread/rpqtbbfualtztapb
So the question is: why are you asking the same question again? Did you not
like those answers? Did you try any of them and were having trouble? It
doesn't seem like you tried all the possibilities that were suggested back
in early March.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpMjYdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiVTBAAlS4cPlgdtwjFMqaO
OBGdD68dhWdUHr/FZ4ltzmwUryBjq1pvj7TRrW96jLdYcNBPBvSzojZIi+rqn4HM
KmJ9hm0WlMoUw91x4TGQA17NYUKK4V5lcnqJIl14eMtKko+uyTo709ENK9C4uU/d
3Sm71axrlkwyS4WlLK8HOp4iD6xXeU+9bJK5QyOLaKnVRwjtOR+n4tSVeDQnu2kD
1PcFi1GrhwG9fi/IIHzgJ/MFpXx9wjfVKLE9f2g1LeB8c1p4y76pjfxkJcLPuhl5
3tES2hm3dcqqwyTm+21JGchLPdfc/TZ8+8deMwVtMDEfDqPEaR89CVoaGmnxHM+N
ppNXPKNIgPM47BCw+SEdfPUVnGSN13r1iwf5o3/O2YM/4Xfuu3ZFWHAsVg82rH4J
2mzqlZJWHHXS76EWJRkTz7+C9wDcLOv2J4Lb4BCsTNmu9O57NffQS98SG1bvCsXg
4Kv+MjSDEKNtR2OdjdzHrcezccQayqhux0pvfcXBdB8W6ZQ+x8ECVIilHAU5sVOb
Hfj6AToRNHRHZmn+duN6R7wDw3ex2+C1wDPUJSewMB6eQKpCKzwAygELjeJMsx6d
qWwcuWXXDXVLZeNt2z/iWlII6DbQKFQIi6oCVgiJgwGQbkA3eHHnE+MirfsDG0yZ
NVICZWzx/RbejoyXhX2Wm//xaGM=
=4NSi
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 3/14/18 10:02 AM, Cheltenham, Chris wrote:
> Oh this thread was long ago and answered by someone else.
You asked the same question on 2018-03-02, and got many replies
including the ones I gave in this thread. Actually, I replied as well.
Previous thread: https://markmail.org/thread/bfct4jm5saotfmsq
Current thread: https://markmail.org/thread/rpqtbbfualtztapb
So the question is: why are you asking the same question again? Did
you not like those answers? Did you try any of them and were having
trouble? It doesn't seem like you tried all the possibilities that
were suggested back in early March.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpMjYdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiVTBAAlS4cPlgdtwjFMqaO
OBGdD68dhWdUHr/FZ4ltzmwUryBjq1pvj7TRrW96jLdYcNBPBvSzojZIi+rqn4HM
KmJ9hm0WlMoUw91x4TGQA17NYUKK4V5lcnqJIl14eMtKko+uyTo709ENK9C4uU/d
3Sm71axrlkwyS4WlLK8HOp4iD6xXeU+9bJK5QyOLaKnVRwjtOR+n4tSVeDQnu2kD
1PcFi1GrhwG9fi/IIHzgJ/MFpXx9wjfVKLE9f2g1LeB8c1p4y76pjfxkJcLPuhl5
3tES2hm3dcqqwyTm+21JGchLPdfc/TZ8+8deMwVtMDEfDqPEaR89CVoaGmnxHM+N
ppNXPKNIgPM47BCw+SEdfPUVnGSN13r1iwf5o3/O2YM/4Xfuu3ZFWHAsVg82rH4J
2mzqlZJWHHXS76EWJRkTz7+C9wDcLOv2J4Lb4BCsTNmu9O57NffQS98SG1bvCsXg
4Kv+MjSDEKNtR2OdjdzHrcezccQayqhux0pvfcXBdB8W6ZQ+x8ECVIilHAU5sVOb
Hfj6AToRNHRHZmn+duN6R7wDw3ex2+C1wDPUJSewMB6eQKpCKzwAygELjeJMsx6d
qWwcuWXXDXVLZeNt2z/iWlII6DbQKFQIi6oCVgiJgwGQbkA3eHHnE+MirfsDG0yZ
NVICZWzx/RbejoyXhX2Wm//xaGM=
=4NSi
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Coty,
Oh this thread was long ago and answered by someone else.
Thanks
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Cheltenham, Chris [mailto:ccheltenham-ext@philasd.org]
Sent: Wednesday, March 14, 2018 10:02 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: RE: Binding a non root user to port 443
Hello Coty,
I am not sure what you mean?
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, March 14, 2018 9:45 AM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Coty,
On 3/13/18 2:20 PM, Coty Sutherland wrote:
> This looks like a continuation of this thread from 11 days ago:
> https://www.mail-archive.com/users@tomcat.apache.org/msg128541.html
Indeed.
>
Chris C, you didn't like any of the responses you got in the previous
thread?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpJ0gdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgEwQ/+KXqUvNkOjfgdCc/x
2B+bdVSzqowaVN23W647L4QsVqulJhVwZAYUk8UZAEYpGF9UjjRTbAuc7enp603p
ucNn9zw9CpmbmkRY2Pgq8tWTwgIWcTVbGdtwxocFA/Dd0G3p+KwYpuhRJpK1MxpI
77UVrYzOOHE46HCovszKAagV1zLmKRMNccjALxDauHUtFNJuY+xqwQhjTmcZtflU
mkXAOC6lsi36AIk1opkfsj4x0+c8/PgksOdRbQHzXROIeRWOL7nxfqHVrapqhj+f
uZqmx3Y2UAl2KFFynOTMEhBBgCz6lE+4x2hh75v24PI6kkpdPYaJgYJOx3YBjPqr
NGJuNV8Ucpcel1iP+juEteKtCo36sSijaPFriT9Aa0lzilLWlR8nZVeWfBS3DtSN
ZB6lK/RUqDxbLyVpYKrQ98IUU/9zGlN4VcXIUBQNq4knwpiHThiTMF9+kj0SSHf6
Y/eGsbS4DArTohEBLhnGqIEFonPHNGSg5G3rNx9xTaQIc7h9Y7aWYVngZvQnxF3h
cUi3YE53Chdora3QVcCsiadj1Dxoht93pCN94qKz9RTxDeyVsckLTwFnD8R7ghiS
CPCDA8Y4UfT4TzbrycYcrnlwAq0jUuRm3Jh01GtsS0hyLsdEnHWHSOV3d+IzQh/R
RarLLuJOKkgxTNyJ822LZBBkRoQ=
=r4aT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Hello Coty,
I am not sure what you mean?
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, March 14, 2018 9:45 AM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Coty,
On 3/13/18 2:20 PM, Coty Sutherland wrote:
> This looks like a continuation of this thread from 11 days ago:
> https://www.mail-archive.com/users@tomcat.apache.org/msg128541.html
Indeed.
>
Chris C, you didn't like any of the responses you got in the previous
thread?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpJ0gdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgEwQ/+KXqUvNkOjfgdCc/x
2B+bdVSzqowaVN23W647L4QsVqulJhVwZAYUk8UZAEYpGF9UjjRTbAuc7enp603p
ucNn9zw9CpmbmkRY2Pgq8tWTwgIWcTVbGdtwxocFA/Dd0G3p+KwYpuhRJpK1MxpI
77UVrYzOOHE46HCovszKAagV1zLmKRMNccjALxDauHUtFNJuY+xqwQhjTmcZtflU
mkXAOC6lsi36AIk1opkfsj4x0+c8/PgksOdRbQHzXROIeRWOL7nxfqHVrapqhj+f
uZqmx3Y2UAl2KFFynOTMEhBBgCz6lE+4x2hh75v24PI6kkpdPYaJgYJOx3YBjPqr
NGJuNV8Ucpcel1iP+juEteKtCo36sSijaPFriT9Aa0lzilLWlR8nZVeWfBS3DtSN
ZB6lK/RUqDxbLyVpYKrQ98IUU/9zGlN4VcXIUBQNq4knwpiHThiTMF9+kj0SSHf6
Y/eGsbS4DArTohEBLhnGqIEFonPHNGSg5G3rNx9xTaQIc7h9Y7aWYVngZvQnxF3h
cUi3YE53Chdora3QVcCsiadj1Dxoht93pCN94qKz9RTxDeyVsckLTwFnD8R7ghiS
CPCDA8Y4UfT4TzbrycYcrnlwAq0jUuRm3Jh01GtsS0hyLsdEnHWHSOV3d+IzQh/R
RarLLuJOKkgxTNyJ822LZBBkRoQ=
=r4aT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Coty,
On 3/13/18 2:20 PM, Coty Sutherland wrote:
> This looks like a continuation of this thread from 11 days ago:
> https://www.mail-archive.com/users@tomcat.apache.org/msg128541.html
Indeed.
>
Chris C, you didn't like any of the responses you got in the
previous thread?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpJ0gdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgEwQ/+KXqUvNkOjfgdCc/x
2B+bdVSzqowaVN23W647L4QsVqulJhVwZAYUk8UZAEYpGF9UjjRTbAuc7enp603p
ucNn9zw9CpmbmkRY2Pgq8tWTwgIWcTVbGdtwxocFA/Dd0G3p+KwYpuhRJpK1MxpI
77UVrYzOOHE46HCovszKAagV1zLmKRMNccjALxDauHUtFNJuY+xqwQhjTmcZtflU
mkXAOC6lsi36AIk1opkfsj4x0+c8/PgksOdRbQHzXROIeRWOL7nxfqHVrapqhj+f
uZqmx3Y2UAl2KFFynOTMEhBBgCz6lE+4x2hh75v24PI6kkpdPYaJgYJOx3YBjPqr
NGJuNV8Ucpcel1iP+juEteKtCo36sSijaPFriT9Aa0lzilLWlR8nZVeWfBS3DtSN
ZB6lK/RUqDxbLyVpYKrQ98IUU/9zGlN4VcXIUBQNq4knwpiHThiTMF9+kj0SSHf6
Y/eGsbS4DArTohEBLhnGqIEFonPHNGSg5G3rNx9xTaQIc7h9Y7aWYVngZvQnxF3h
cUi3YE53Chdora3QVcCsiadj1Dxoht93pCN94qKz9RTxDeyVsckLTwFnD8R7ghiS
CPCDA8Y4UfT4TzbrycYcrnlwAq0jUuRm3Jh01GtsS0hyLsdEnHWHSOV3d+IzQh/R
RarLLuJOKkgxTNyJ822LZBBkRoQ=
=r4aT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by Coty Sutherland <cs...@redhat.com>.
This looks like a continuation of this thread from 11 days ago:
https://www.mail-archive.com/users@tomcat.apache.org/msg128541.html
On Tue, Mar 13, 2018 at 2:16 PM, Cheltenham, Chris
<cc...@philasd.org> wrote:
> Chris,
>
> I see JSVC will allow a non root user to bund to 443
> Somehow I have to get these libraries into TOMCAT?
>
> Correct?
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Tuesday, March 13, 2018 2:03 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Binding a non root user to port 443
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 3/13/18 1:26 PM, Cheltenham, Chris wrote:
>> Is there a way to redirect ports 80 and 443 to 8443.
>>
>> I have a non root user but I cannot use CentOS firewalld nor iptables.
>
> How about authbind?
>
>> I have tried these things.
>>
>> <Connectorport="443"protocol="HTTP/1.1" enableLookups="false"
>> redirectPort="8443"/>
>
> The redirectPort here is useless (it's for redirecting non-secure traffic to
> a secure port). Here, you are already secure (and redirecting to 8443 won't
> go anywhere. Just remove the attribute.
>
>> But it still fails.
>
> This will fail on most *NIXs because non-root can't bind to ports below
> 1024.
>
> Are you able to run jsvc? It will allow you to bind to ports and then drop
> privileges.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqoEk4dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFie3Q/9EQNO8FUrJOT1RvK1
> L1/kh37xsg6P0QwQJmPf2FT1jyw1485BHU6v1WlOAj65RskoRj0YDgCXb4EKlKqm
> Tla1205+El0ZjIKzKVUnipqmmIDcGgaHq+T1BV4L3KSKHa4t4Kf1c42xkuXA0XkJ
> bV2kCbZU29Utz82hNZmOK86X2RwveoNipPMDjJQFhm/inikE8tYhhl4qsoTPnpEW
> FQMB3+KkPvtdju2B9vW2mv85z6kBlDA3A4DfhOsnjJ0mBkcICGogRJ8Y1qMAfnGm
> z+4vH9Lf83Qdr3XNW/il4Viv5DjM9KpO5oZZuSSGdax0wMyqgY/dgEVPc0NSRkAj
> z+uhAXSjx03DGCmSpcO8txRT3f/uLiRRz5RxH9s4U1eLbXXdqhpZaum4x0uLhzC5
> t3+GKGCtE5pqvLg6lyikKHF8SQjS1EGL1Za3Nsqi0Yy09I8QHoHuTRP1MyobGB7p
> h191divVIstWkpcAtO4rkTw5dWepGGFUBmxrJQ60zMMOgYlXTYWpbQAqjKmQcNd/
> cQpMhSbKBEFOYjEvlF4d7afAsF/6ir3/Ye2oLzmdADvzgMBZzRkSnlVZc7X4m60C
> d8c9S6NIwVhZuio2ydZ1wHQ73bXoxyt+wO6+3AiE0ixYH/9IC8hbYQwOCSjXm6ti
> 05E7jxsIcHs2su73QTyy0rUIkdQ=
> =XLrN
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Chris,
I see JSVC will allow a non root user to bund to 443
Somehow I have to get these libraries into TOMCAT?
Correct?
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Tuesday, March 13, 2018 2:03 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Binding a non root user to port 443
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 3/13/18 1:26 PM, Cheltenham, Chris wrote:
> Is there a way to redirect ports 80 and 443 to 8443.
>
> I have a non root user but I cannot use CentOS firewalld nor iptables.
How about authbind?
> I have tried these things.
>
> <Connectorport="443"protocol="HTTP/1.1" enableLookups="false"
> redirectPort="8443"/>
The redirectPort here is useless (it's for redirecting non-secure traffic to
a secure port). Here, you are already secure (and redirecting to 8443 won't
go anywhere. Just remove the attribute.
> But it still fails.
This will fail on most *NIXs because non-root can't bind to ports below
1024.
Are you able to run jsvc? It will allow you to bind to ports and then drop
privileges.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqoEk4dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFie3Q/9EQNO8FUrJOT1RvK1
L1/kh37xsg6P0QwQJmPf2FT1jyw1485BHU6v1WlOAj65RskoRj0YDgCXb4EKlKqm
Tla1205+El0ZjIKzKVUnipqmmIDcGgaHq+T1BV4L3KSKHa4t4Kf1c42xkuXA0XkJ
bV2kCbZU29Utz82hNZmOK86X2RwveoNipPMDjJQFhm/inikE8tYhhl4qsoTPnpEW
FQMB3+KkPvtdju2B9vW2mv85z6kBlDA3A4DfhOsnjJ0mBkcICGogRJ8Y1qMAfnGm
z+4vH9Lf83Qdr3XNW/il4Viv5DjM9KpO5oZZuSSGdax0wMyqgY/dgEVPc0NSRkAj
z+uhAXSjx03DGCmSpcO8txRT3f/uLiRRz5RxH9s4U1eLbXXdqhpZaum4x0uLhzC5
t3+GKGCtE5pqvLg6lyikKHF8SQjS1EGL1Za3Nsqi0Yy09I8QHoHuTRP1MyobGB7p
h191divVIstWkpcAtO4rkTw5dWepGGFUBmxrJQ60zMMOgYlXTYWpbQAqjKmQcNd/
cQpMhSbKBEFOYjEvlF4d7afAsF/6ir3/Ye2oLzmdADvzgMBZzRkSnlVZc7X4m60C
d8c9S6NIwVhZuio2ydZ1wHQ73bXoxyt+wO6+3AiE0ixYH/9IC8hbYQwOCSjXm6ti
05E7jxsIcHs2su73QTyy0rUIkdQ=
=XLrN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Hasan, the answer is , I don't really know why they hesitated on that
request.
Can do it myself, I have root , I was just being cooperative.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Hassan Schroeder [mailto:hassan.schroeder@gmail.com]
Sent: Tuesday, March 13, 2018 2:40 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Binding a non root user to port 443
On Tue, Mar 13, 2018 at 11:18 AM, Cheltenham, Chris
<cc...@philasd.org> wrote:
> I may lobby for iptables but the admins are pushing back.
"pushing back" because of laziness or actual reasons?
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
twitter: @hassan
Consulting Availability : Silicon Valley or remote
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Pushing back mean they were stuttering about reconfiguring the local
firewalld zone that they created.
I am trying to figure out a different way but I just don’t know java that
well.
If they box me in a corner , I will figure it out however.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Hassan Schroeder [mailto:hassan.schroeder@gmail.com]
Sent: Tuesday, March 13, 2018 2:40 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Binding a non root user to port 443
On Tue, Mar 13, 2018 at 11:18 AM, Cheltenham, Chris
<cc...@philasd.org> wrote:
> I may lobby for iptables but the admins are pushing back.
"pushing back" because of laziness or actual reasons?
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
twitter: @hassan
Consulting Availability : Silicon Valley or remote
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by Hassan Schroeder <ha...@gmail.com>.
On Tue, Mar 13, 2018 at 11:18 AM, Cheltenham, Chris
<cc...@philasd.org> wrote:
> I may lobby for iptables but the admins are pushing back.
"pushing back" because of laziness or actual reasons?
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
twitter: @hassan
Consulting Availability : Silicon Valley or remote
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Binding a non root user to port 443
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Chris,
Do you believe this is the best way to redirect the ports or is it better
all around for the OS to handle that.
I.E. iptables
I may lobby for iptables but the admins are pushing back.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Tuesday, March 13, 2018 2:03 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Binding a non root user to port 443
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 3/13/18 1:26 PM, Cheltenham, Chris wrote:
> Is there a way to redirect ports 80 and 443 to 8443.
>
> I have a non root user but I cannot use CentOS firewalld nor iptables.
How about authbind?
> I have tried these things.
>
> <Connectorport="443"protocol="HTTP/1.1" enableLookups="false"
> redirectPort="8443"/>
The redirectPort here is useless (it's for redirecting non-secure traffic to
a secure port). Here, you are already secure (and redirecting to 8443 won't
go anywhere. Just remove the attribute.
> But it still fails.
This will fail on most *NIXs because non-root can't bind to ports below
1024.
Are you able to run jsvc? It will allow you to bind to ports and then drop
privileges.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqoEk4dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFie3Q/9EQNO8FUrJOT1RvK1
L1/kh37xsg6P0QwQJmPf2FT1jyw1485BHU6v1WlOAj65RskoRj0YDgCXb4EKlKqm
Tla1205+El0ZjIKzKVUnipqmmIDcGgaHq+T1BV4L3KSKHa4t4Kf1c42xkuXA0XkJ
bV2kCbZU29Utz82hNZmOK86X2RwveoNipPMDjJQFhm/inikE8tYhhl4qsoTPnpEW
FQMB3+KkPvtdju2B9vW2mv85z6kBlDA3A4DfhOsnjJ0mBkcICGogRJ8Y1qMAfnGm
z+4vH9Lf83Qdr3XNW/il4Viv5DjM9KpO5oZZuSSGdax0wMyqgY/dgEVPc0NSRkAj
z+uhAXSjx03DGCmSpcO8txRT3f/uLiRRz5RxH9s4U1eLbXXdqhpZaum4x0uLhzC5
t3+GKGCtE5pqvLg6lyikKHF8SQjS1EGL1Za3Nsqi0Yy09I8QHoHuTRP1MyobGB7p
h191divVIstWkpcAtO4rkTw5dWepGGFUBmxrJQ60zMMOgYlXTYWpbQAqjKmQcNd/
cQpMhSbKBEFOYjEvlF4d7afAsF/6ir3/Ye2oLzmdADvzgMBZzRkSnlVZc7X4m60C
d8c9S6NIwVhZuio2ydZ1wHQ73bXoxyt+wO6+3AiE0ixYH/9IC8hbYQwOCSjXm6ti
05E7jxsIcHs2su73QTyy0rUIkdQ=
=XLrN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Binding a non root user to port 443
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 3/13/18 1:26 PM, Cheltenham, Chris wrote:
> Is there a way to redirect ports 80 and 443 to 8443.
>
> I have a non root user but I cannot use CentOS firewalld nor
> iptables.
How about authbind?
> I have tried these things.
>
> <Connectorport="443"protocol="HTTP/1.1" enableLookups="false"
> redirectPort="8443"/>
The redirectPort here is useless (it's for redirecting non-secure
traffic to a secure port). Here, you are already secure (and
redirecting to 8443 won't go anywhere. Just remove the attribute.
> But it still fails.
This will fail on most *NIXs because non-root can't bind to ports
below 1024.
Are you able to run jsvc? It will allow you to bind to ports and then
drop privileges.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqoEk4dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFie3Q/9EQNO8FUrJOT1RvK1
L1/kh37xsg6P0QwQJmPf2FT1jyw1485BHU6v1WlOAj65RskoRj0YDgCXb4EKlKqm
Tla1205+El0ZjIKzKVUnipqmmIDcGgaHq+T1BV4L3KSKHa4t4Kf1c42xkuXA0XkJ
bV2kCbZU29Utz82hNZmOK86X2RwveoNipPMDjJQFhm/inikE8tYhhl4qsoTPnpEW
FQMB3+KkPvtdju2B9vW2mv85z6kBlDA3A4DfhOsnjJ0mBkcICGogRJ8Y1qMAfnGm
z+4vH9Lf83Qdr3XNW/il4Viv5DjM9KpO5oZZuSSGdax0wMyqgY/dgEVPc0NSRkAj
z+uhAXSjx03DGCmSpcO8txRT3f/uLiRRz5RxH9s4U1eLbXXdqhpZaum4x0uLhzC5
t3+GKGCtE5pqvLg6lyikKHF8SQjS1EGL1Za3Nsqi0Yy09I8QHoHuTRP1MyobGB7p
h191divVIstWkpcAtO4rkTw5dWepGGFUBmxrJQ60zMMOgYlXTYWpbQAqjKmQcNd/
cQpMhSbKBEFOYjEvlF4d7afAsF/6ir3/Ye2oLzmdADvzgMBZzRkSnlVZc7X4m60C
d8c9S6NIwVhZuio2ydZ1wHQ73bXoxyt+wO6+3AiE0ixYH/9IC8hbYQwOCSjXm6ti
05E7jxsIcHs2su73QTyy0rUIkdQ=
=XLrN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [E] Binding a non root user to port 443
Posted by "Bauer, Margaret M (Peggy)" <ma...@verizon.com>.
Change your 443 port to something above 443. like 1443 or 8443. Root owns
ports below 1024. Root owner will have to stop/start. and processes using
ports under 1024. Only root user can use.
Peggy
On Tue, Mar 13, 2018 at 1:26 PM, Cheltenham, Chris <
ccheltenham-ext@philasd.org> wrote:
> Hello Everyone,
>
>
>
> Is there a way to redirect ports 80 and 443 to 8443.
>
> I have a non root user but I cannot use CentOS firewalld nor iptables.
>
>
>
> I have tried these things.
>
>
>
> <Connector port="443" protocol="HTTP/1.1"
>
> enableLookups="false"
>
> redirectPort="8443" />
>
>
>
> But it still fails.
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025 <(215)%20400-5025>
> Cell # 215-301-6571 <(215)%20301-6571>
>
--
*Peggy Bauer*
CAO Production Support
214-770-1782