Return-Path: X-Original-To: apmail-httpd-docs-archive@www.apache.org Delivered-To: apmail-httpd-docs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EA42A30BC for ; Sat, 30 Apr 2011 22:51:20 +0000 (UTC) Received: (qmail 89985 invoked by uid 500); 30 Apr 2011 22:51:20 -0000 Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 89923 invoked by uid 500); 30 Apr 2011 22:51:19 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: docs@httpd.apache.org List-Id: Delivered-To: mailing list docs@httpd.apache.org Received: (qmail 89915 invoked by uid 99); 30 Apr 2011 22:51:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Apr 2011 22:51:19 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.131] (HELO eos.apache.org) (140.211.11.131) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Apr 2011 22:51:18 +0000 Received: from eos.apache.org (localhost [127.0.0.1]) by eos.apache.org (Postfix) with ESMTP id 8E66B787; Sat, 30 Apr 2011 22:50:58 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Apache Wiki To: Apache Wiki Date: Sat, 30 Apr 2011 22:50:58 -0000 Message-ID: <20110430225058.97144.85763@eos.apache.org> Subject: =?utf-8?q?=5BHttpd_Wiki=5D_Update_of_=22NonRootPortBinding=22_by_Guillerm?= =?utf-8?q?oGrandes?= Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for cha= nge notification. The "NonRootPortBinding" page has been changed by GuillermoGrandes. The comment on this change is: Alternative method (NAT). http://wiki.apache.org/httpd/NonRootPortBinding?action=3Ddiff&rev1=3D2&rev2= =3D3 -------------------------------------------------- =3D=3D What you need =3D=3D - = You need two things: = * an operating system with POSIX capabilities; @@ -15, +14 @@ We suppose that you have Apache installed, and that the httpd binary is {= {{/usr/sbin/httpd}}}. Some distributions put it in another location (Debian= , for instance, uses {{{/usr/sbin/apache2}}}). = =3D=3D First step: add capabilities to the httpd binary =3D=3D - = The capabilities are added per file. This is why we need to modify the ht= tpd binary itself. The capability we need to add is {{{CAP_NET_BIND_SERVICE= }}}, which is explicitly defined as the capacity for an executable to bind = to a port less than 1024. = You need to be root to do that, so first, be root. Then, add the capabili= ty to the httpd binary: @@ -23, +21 @@ {{{ root@myhost # setcap cap_net_bind_service=3D+ep /usr/sbin/httpd }}} - = Check that the capability is added: = {{{ root@myhost # getcap /usr/sbin/httpd /usr/sbin/httpd =3D cap_net_bind_service+ep }}} - = =3D=3D Second step: preparing your environment =3D=3D - = NOTE: this section assumes a Fedora, Red Hat or derivate distribution. Ad= apt instructions below accordingly. = Login as root. Choose a user with which you want to run Apache (create on= e if needed). It can be a system only user (ie, no shell), but for testing = purposes: @@ -46, +41 @@ root@myhost # cp -a /etc/httpd ~test/ root@myhost # chown -R test ~test/httpd }}} - = Then login as {{{test}}}. Modify the environment: = {{{ @@ -55, +49 @@ test@myhost $ rm -f logs run test@myhost $ mkdir logs run }}} + Now, test that you can run it: = - Now, test that you can run it: {{{ test@myhost $ pwd /home/test/httpd test@myhost $ httpd -d $(pwd) -DNO_DETACH }}} - = Apache will then run in the foreground. If it quits immediately, check th= e console output, or {{{logs/error_log}}}: fix errors (very probably a perm= ission problem) and try again. = You're done! = =3D=3D Reverting =3D=3D - = Use {{{setcap}}} again, to remove the capability: = {{{ root@myhost # setcap cap_net_bind_service=3D-ep /usr/sbin/httpd }}} - = =3D=3D Caveats =3D=3D - = * with this setup, _any_ nonprivileged user can now run Apache on privil= eged ports. So, be very careful about what you do. Additionally, you can fu= rther restrict execution of the httpd binary, either using standard credent= ials ({{{chmod}}}, {{{chown}}} et al) or, even better, ACLs; * if you upgrade Apache, changes you have made to httpd will be lost, yo= u'll need to do them again... = + =3D=3D Alternative method (iptables/linux): NAT =3D=3D + You can use nat based method to redirect traffic from port 80 to 8080. + = + {{{ + root@myhost # iptables -t nat -A PREROUTING -d -p tcp --dport 80 -m = addrtype --dst-type LOCAL -j DNAT --to-destination :8080 + root@myhost # iptables -t nat -A OUTPUT -d -p tcp --dport 80 -m = addrtype --dst-type LOCAL -j DNAT --to-destination :8080 + }}} + Obviously the configuration of your apache server to listen on port 8080 +=20 --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional commands, e-mail: docs-help@httpd.apache.org