4

I'd like to run Glassfish v3 as a non-privileged user on Linux (Debian), but make it available on port 80. I'm currently doing this with iptables:

iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 80 -j REDIRECT --to-port 8080

This works, but I wonder:

  1. If this has any significant performance impact compared to binding directly to port 80
  2. If I could make a similar setup also work for HTTPS (or if that must run on 443)
  3. If there's a way to avoid other users from binding to port 8080 (in case my server crashes) - maybe block that port permanently to other users somehow?

...or if I should use authbind/privbind instead? Problem: I couldn't make it work with authbind or privbind so far.

For authbind, I edited asadmin's last line to:

exec authbind --deep "$JAVA" -Djava.net.preferIPv4Stack=true -jar ...

For privbind:

exec privbind -u glassfish "$JAVA" -Djava.net.preferIPv4Stack=true -jar ...

(Only) with these settings, I can successfully perform a create-domain --domainport 80. This proves, that authbind and privbind actually work (the authbind version of the script is called by the glassfish user; the privbind version is called by root of course). However, in both cases I get the following exception, when starting the domain (start-domain):

[#|2010-03-20T13:25:21.925+0100|SEVERE|glassfishv3.0|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=11;_ThreadName=FelixStartLevel;|Shutting down v3 due to startup exception : Permission denied: 80=com.sun.enterprise.v3.services.impl.monitor.MonitorableSelectorHandler@1fc25e5|#]

I haven't found a solution for that yet (after searching the web, it seems, that this isn't so easy?) But maybe, the solution with iptables is good enough - what do you think?

Thanks,

Chris

Note:

Putting an Apache in front isn't a good solution in my case - I plan on using Comet, and Comet works better without proxies.

Chris Lercher
  • 4,152
  • 9
  • 35
  • 41

2 Answers2

4

I use NAT all the time in production. While it is more commonly used to translate between intranet and Internet, it can be perfectly acceptable to use it this way as well. I've done similar for an almost identical situation. With that being said, there are other options.

Application servers and Web servers often run together, as such it makes sense to keep Java on 8080 and 8443 internally. More often, people would probably use Apache as the proxy to translate certain requests to Java and serve static content from the Apache instance. I understand that you find this solution unacceptable to you but it must be said.

If this does not cover your questions, feel free to expound and I will iterate further.

Edit 1

You're welcome. NAT won't affect https' normal operation, it will work fine.

I can't imagine why you would be worried about other non-privileged users binding to 8080. Is there something unique to your situation?

Warner
  • 23,756
  • 2
  • 59
  • 69
  • Thanks! Have you used NAT with HTTPS successfully - or does this cause problems with the SSL protocol? I've used the Apache approach (with Tomcat) before - but in that case, the SSL part was handled by Apache. Are you using something to prevent non-privileged users (other than the glassfish user in this case) to bind to port 8080? – Chris Lercher Mar 20 '10 at 17:30
  • 1
    Nat works fine with https. Often, you can just have router direct 80 to 8080. – Kyle Brandt Mar 20 '10 at 18:28
  • 1
    * Very good to know, that this works with HTTPs! * @Warner: When I redirect port 80 to 8080, then binding to 8080 is essentially the same as binding to port 80 (so we could just as well allow everyone to bind to port 80). Now I certainly don't setup my server as a multi-user machine for non-admins (I'm not insane), but this still impacts the security of the system: If one of my non-privileged processes gets compromised, it can try to cause Glassfish to exit (OutOfMemoryError etc.), and then happily serve its own content on the trusted port 80. – Chris Lercher Mar 20 '10 at 18:37
0

Your privbind problem is probably a result of HOME set to root's. Either me or whoever will take ownership of privbind from me will try to fix it in the next version (now that there will be a next version...)

See if adding "HOME=~glassfish" at the start of the command line (assuming bourne derived shell) solves the problem (if it's still relevant: it has been four years since the question was asked, after all....)

Shachar

Shachar Shemesh
  • 101