Sophie

Sophie

distrib > Mandriva > 2010.0 > x86_64 > by-pkgid > c27466c2a3fa3cf6008c3a485d00ce04 > files > 84

jetty5-manual-5.1.15-1.5.2mdv2010.0.noarch.rpm

SECTION: 300-HTTP
TITLE: user80
QUESTION: Can I run a non root user on port 80?

Yes! 
<P>
On Unix derived systems, due to differenced between JVMs for how their threads 
map to kernel processes, it is not sufficient, secure or 100% java to call setuid 
to change to a non-root user after opening port 80.
<P>
A better solution is to run the server on a non-privileged port (eg 8080) and
use a firewall or routing mechanism to map port 80 to 8080. 
<p>
<h4> Using ipchains </h4>
<p>
On some Linux systems the ipchains REDIRECT mechanism can be used to redirect from 
one port to another inside the kernel:
<pre>
  /sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080
</pre>
This basically means, "Insert into the kernel's packet filtering the
following as the first rule to check on incoming packets: If the
protocol is TCP and the destination port is 80, redirect the packet to
port 8080."  Your kernel must be compiled with support for ipchains. (virtually all stock kernels are.) You must have the "ipchains"
command-line utility installed.  (On RedHat the package is aptly named
"ipchains".)  You can run this command at any time, preferably just once
since it inserts another copy of the rule every time you run it.
<P>
Once this rule is set up, a Linux 2.2 kernel will redirect all data
addressed to port 80 to a server such as Jetty running on port
8080.This includes all RedHat 6.x distros.  Linux 2.4 kernels, e.g. RedHat
7.1+,  have a similar "iptables" facility.
<p>
<h4> Using iptables </h4>
<p>
You need to add something like the following to the startup
scripts or your firewall rules:
<pre>
  /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
</pre>
The underlying model of iptables is different to that of ipchains  so the forwarding normally only happens to packets originating off-box. You will also need to allow incoming packets to port 8080 if you use iptables as a local firewall.
<P>
Be careful to place rules like this one early in your "input" chain.
Such rules must precede any rule that would accept the packet, otherwise
the redirection won't occur.  You can insert as many rules as needed if
your server needs to listen on multiple ports, as for HTTPS.
<p>
<b>Note:</b> For some extremely handy scripts (verified against
SuSe 7.3) and a detailed <font face=courier>readme.txt</font>,
download a the tiny tarball <A
HREF="doc/iptables.tgz">iptables.tgz</A> contributed by Chris Haynes
(thanks Chris!).

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional