tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cheltenham, Chris" <ccheltenham-...@philasd.org>
Subject Re: Binding a non root user to port 443
Date Fri, 16 Mar 2018 12:31:43 GMT
Thank You Olaf 

=========================== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571

----- Original Message -----
From: "Olaf Kock" <tomcat@olafkock.de>
To: "users" <users@tomcat.apache.org>
Sent: Friday, March 16, 2018 7:21:26 AM
Subject: Re: Binding a non root user to port 443

Chris,


On 15.03.2018 13:34, Cheltenham, Chris wrote:
> Andre,
>
> You probably missed where I had mentioned the infrastructure group poo poo'd
> altering iptables for whatever reason.
>
> Here is what I think are my 5 best choices for running tomcat as a non root
> user on a privileged port.
>
> 1) redirect 443 to 8443 on the load balancer. VIP side.
>
> 2) iptables
>
> 3) jsvc
>
> 4) authbind
>
> 5) set cap
>
> I do NOT have control of the VIP so I can only make suggestions based on
> what I have control of.

I don't understand. I always make suggestions for areas that I don't 
have control of. It'd be frightening if I didn't, because that would 
mean that I'd control too much. IMHO 1 is the best point: The 
loadbalancer balances something anyway - you'd just document the 
application it should balance and the ports it should be available 
under. You probably can't tell them they need to bind another port than 
443 /on their frontend/, but you should certainly be able to tell them 
where your application lives that they should connect to in the backend. 
That's a configuration they'd have to make anyway and I hope they'd not 
be opposed to entering a port number.
> Therefore, the latter three are what I am looking into.
>
> I do not like set cap because it opens up ALL the privileged ports to a
> binary , such as java or http.
> Authbind is an install of a potentially buggy or unsecure software.

another reason for 1...

> I am not really sure how my post warranted so much attention but I
> appreciate it.

well, you posted a question, gave the background - that's what this list 
is for.

Olaf

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message