Re: This is weird: can't bind to 443

[Igal @ Lucee.org]

On 8/6/2017 9:23 AM, Mark Thomas wrote:



Are those recordings available?  I'm specifically interested in
the Tomcat ones.

Yes, they are available on YouTube. For some reason, nobody has
bothered to link them to the ASF's YouTube channel...

I've created a playlist for the videoed Tomcat sessions and added it to
the Tomcat YouTube channel. I've also reorganised the home page so it
shows both 'our' videos and the playlists.

Https://youtube.com/c/ApacheTomcatOfficial

Mark


Awesome!  Thanks :)

Igal Sapir
Lucee Core Developer
Lucee.org 

Re: This is weird: can't bind to 443

[Mark Thomas]

On 04/08/17 22:39, Christopher Schultz wrote:
> Igal,
> 
> On 8/3/17 3:11 PM, Igal @ Lucee.org wrote:
>> Hi Chris,
> 
>> On 8/3/2017 11:39 AM, Christopher Schultz wrote:
>>> On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:
 Was it priced? What would have been the cost for doing that?
>>> The cost was $3000/room/day (as quoted to me by Shane Curcuru --
>>> I asked because I was curious at the time).
>> Thanks for the info.
> 
>>> TomcatCon had one day of recordings care of our sponsor, Comcast.
>>> Other parts of the conference had recordings as well.
> 
>> Are those recordings available?  I'm specifically interested in
>> the Tomcat ones.
> 
> Yes, they are available on YouTube. For some reason, nobody has
> bothered to link them to the ASF's YouTube channel...

I've created a playlist for the videoed Tomcat sessions and added it to
the Tomcat YouTube channel. I've also reorganised the home page so it
shows both 'our' videos and the playlists.

Https://youtube.com/c/ApacheTomcatOfficial

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Igal @ Lucee.org]

Chris,

On 8/4/2017 2:39 PM, Christopher Schultz wrote:

Yes, they are available on YouTube. For some reason, nobody has
bothered to link them to the ASF's YouTube channel... they are a
"playlist" for ApacheCon 2017 - Miami:
https://www.youtube.com/playlist?list=PLbzoR-pLrL6pLDCyPxByWQwYTL-JrF5Rp

All of the Tomcat-related ones are already linked from the "TomcatCon
2017" section of our Presentations page:
http://tomcat.apache.org/presentations.html

The ApacheCon YouTube playlist has a bunch of non-Tomcat-related
videos as well, of course.




Well noted on all points.

Thank you for the information and the links!

Igal Sapir
Lucee Core Developer
Lucee.org 

Re: This is weird: can't bind to 443

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Igal,

On 8/3/17 3:11 PM, Igal @ Lucee.org wrote:
> Hi Chris,
> 
> On 8/3/2017 11:39 AM, Christopher Schultz wrote:
>> On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:
>>> Was it priced? What would have been the cost for doing that?
>> The cost was $3000/room/day (as quoted to me by Shane Curcuru --
>> I asked because I was curious at the time).
> Thanks for the info.
> 
>> TomcatCon had one day of recordings care of our sponsor, Comcast.
>> Other parts of the conference had recordings as well.
> 
> Are those recordings available?  I'm specifically interested in
> the Tomcat ones.

Yes, they are available on YouTube. For some reason, nobody has
bothered to link them to the ASF's YouTube channel... they are a
"playlist" for ApacheCon 2017 - Miami:
https://www.youtube.com/playlist?list=PLbzoR-pLrL6pLDCyPxByWQwYTL-JrF5Rp

All of the Tomcat-related ones are already linked from the "TomcatCon
2017" section of our Presentations page:
http://tomcat.apache.org/presentations.html

The ApacheCon YouTube playlist has a bunch of non-Tomcat-related
videos as well, of course.

>> They do, but don't always want to pay for every single room for
>> every single day.
> 
> That makes sense.  I wonder what kind of exposure they get though.
> Can they put their name in the intro or outro of the videos?  A
> link to their site?

All sponsorships are handled at the ApacheCon level, and usually end
up being names+logos on all of the signs, etc. at the conference. Plus
obviously listed on all conference-related web pages, etc. (e.g.
http://events.linuxfoundation.org/events/apachecon-north-america and
scroll toward the bottom of the page).

>>> Alternatively, the MoSKito webinar that you just announced is
>>> very exciting.  Perhaps more webinars can be set up.
>> We just need people to author them and perform. :)
>> 
>> Contributions welcome!
> 
> Sure, but those people need to have certain skills and expertise
> in Tomcat or very related technologies.

Like Lucee, for instance? Leon's talk, which is quite Tomcat-related,
is about a third-party product.

> I, for example, can do one for rapid web application development
> with Lucee, which allows a much faster development than JSP or JSF
> for example.  I'm not sure if the Tomcat channel is the best for
> that (though we do use Tomcat as the servlet container).

You can always make a proposal. The worst case would be "we" decide
that it's too much of an advertisement for a company/product/service
and that you are welcome to promote your own webinar, but we won't do
it for you.

> For Tomcat- expert advice I usually refer to you or to Mark ;)

Don't confuse my verbosity with deep knowledge. I am one of the least
knowledgeable of the (active) Tomcat committers, at least in terms of
the underlying technology. But I know how to configure it, and I'm
fairly good at explaining things, and I type quickly. :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZhOmvAAoJEBzwKT+lPKRYZF8QAIDy4p/9iKttoRQ5stBSFfow
b3zKrJOCoFET8Ums6F6Vm6wHtunCfT52UHwZSGX1oKn5AL3xO+tPxQuMGCMLJeuM
fzwaRfdg47bodJCJUiLdHs/VQ7ulfYOq/cTuJjAkXjl6Ljls/7kP69KVrILLMN1O
5oyM4FuVcy1lpUz43DLB8hmzr+jArThjDygq1veHOgNcTI0Xi/es68c/6/9MwZy/
FmDFU2MH1mokwzXw8wufkATRpczmbtkXxPKD+E1V4ESwoH2M8hxNnJH3W5bbx3MK
zvKLpk0KA1TJPmLdOglKoqYUrmhf7ywQtY6uFCXyebuweiVUJrBF80o0c/DdP0hY
uU8ZA5dYsNQnha6pWB3XeWb/iMLqj1e/v0dL3suhSD8CctcjWEijw7xxYQJ+5E6h
X5jVBIs/2rOHG642xXkoeV82ffCZ8OK1u3LzmQKjoK9Nz3GFO70D2zgLYd3b8JeB
OCFO1t626gdjCCSBPWxI243jgiLUGQH1szzgKxkXJ0Ec5JUwQfVxFQfUptJoexz9
xtGSox0sYeDD3J8VSPxqLo1XdP5SM7hEMUbHsto+cShrmhVPTw/sXK2B5cZoQgbv
oD/FN1uMj+8ny5WmjiPesmrYobPTAndrhloPJmBHNbNbqFcbpqb2WJVgx4xLnUKa
vzagcWXOfs3fiM+yZ8Zb
=Dimd
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Mark Thomas]

On 03/08/17 20:11, Igal @ Lucee.org wrote:
> Hi Chris,
> 
> On 8/3/2017 11:39 AM, Christopher Schultz wrote:
>> On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:
>>> Was it priced? What would have been the cost for doing that? 
>> The cost was $3000/room/day (as quoted to me by Shane Curcuru -- I
>> asked because I was curious at the time).
> Thanks for the info.
> 
>> TomcatCon had one day of
>> recordings care of our sponsor, Comcast. Other parts of the conference
>> had recordings as well.
> Are those recordings available?  I'm specifically interested in the
> Tomcat ones.
> 
>>
>> I'm sure the ASF would accept a donation of that type.
> That's good to know.  Perhaps we can arrange something for next year.  I
> looked right now on the site and found information about an event in
> London.  I didn't see anything in the mailing list here, but I posted
> about it to the Lucee group at
> https://dev.lucee.org/t/tomcatcon-in-london-september-26th-2017/2647 in
> case anyone is in the area and wants to attend.

That event is still in the planning stage. The plan is to go public once
we have enough of the details finalised (hopefully early next week).

Mark


>> They do, but don't always want to pay for every single room for every
>> single day.
> That makes sense.  I wonder what kind of exposure they get though. Can
> they put their name in the intro or outro of the videos?  A link to
> their site?
> 
> 
>>> Alternatively, the MoSKito webinar that you just announced is very
>>> exciting.  Perhaps more webinars can be set up.
>> We just need people to author them and perform. :)
>>
>> Contributions welcome!
> Sure, but those people need to have certain skills and expertise in
> Tomcat or very related technologies.
> 
> I, for example, can do one for rapid web application development with
> Lucee, which allows a much faster development than JSP or JSF for
> example.  I'm not sure if the Tomcat channel is the best for that
> (though we do use Tomcat as the servlet container).
> 
> For Tomcat- expert advice I usually refer to you or to Mark ;)
> 
> Best,
> 
> Igal Sapir
> Lucee Core Developer
> Lucee.org 
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Igal @ Lucee.org]

Hi Chris,

On 8/3/2017 11:39 AM, Christopher Schultz wrote:

On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:
Was it priced? What would have been the cost for doing that? 

The cost was $3000/room/day (as quoted to me by Shane Curcuru -- I
asked because I was curious at the time).

Thanks for the info.


TomcatCon had one day of
recordings care of our sponsor, Comcast. Other parts of the conference
had recordings as well.
Are those recordings available?  I'm specifically interested in the 
Tomcat ones.




I'm sure the ASF would accept a donation of that type.
That's good to know.  Perhaps we can arrange something for next year.  I 
looked right now on the site and found information about an event in 
London.  I didn't see anything in the mailing list here, but I posted 
about it to the Lucee group at 
https://dev.lucee.org/t/tomcatcon-in-london-september-26th-2017/2647 in 
case anyone is in the area and wants to attend.




They do, but don't always want to pay for every single room for every
single day.
That makes sense.  I wonder what kind of exposure they get though. Can 
they put their name in the intro or outro of the videos?  A link to 
their site?




Alternatively, the MoSKito webinar that you just announced is very
exciting.  Perhaps more webinars can be set up.

We just need people to author them and perform. :)

Contributions welcome!
Sure, but those people need to have certain skills and expertise in 
Tomcat or very related technologies.


I, for example, can do one for rapid web application development with 
Lucee, which allows a much faster development than JSP or JSF for 
example.  I'm not sure if the Tomcat channel is the best for that 
(though we do use Tomcat as the servlet container).


For Tomcat- expert advice I usually refer to you or to Mark ;)

Best,

Igal Sapir
Lucee Core Developer
Lucee.org 

Re: This is weird: can't bind to 443

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Igal,

On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:
> Hi Mark,
> 
> On 8/3/2017 11:05 AM, Mark Thomas wrote:
>> On 03/08/17 17:59, Igal @ Lucee.org wrote:
>>> 
>>> Too bad there are no video recordings of these presentations.
>>> I'd love to watch them and I'm sure that many users would as
>>> well. Unfortunately, not everyone can attend the conventions
>>> due to one reason or another.
>> It was on the wish list but a sponsor didn't come forward to fund
>> it.
> 
> Was it priced?  What would have been the cost for doing that?

The cost was $3000/room/day (as quoted to me by Shane Curcuru -- I
asked because I was curious at the time). TomcatCon had one day of
recordings care of our sponsor, Comcast. Other parts of the conference
had recordings as well.

> I wonder if we can do an online fundraiser for that for next year.
> I will gladly contribute some money towards this initiative, and
> I'm sure that there are others like me.

I'm sure the ASF would accept a donation of that type.

> Maybe even some business in the industry would sponsor the whole
> thing for a mention and/or link.

They do, but don't always want to pay for every single room for every
single day.

> Alternatively, the MoSKito webinar that you just announced is very 
> exciting.  Perhaps more webinars can be set up.

We just need people to author them and perform. :)

Contributions welcome!

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZg23oAAoJEBzwKT+lPKRYYtYP/i1TONoiOnufwHNU7sUDKySl
SoJr/Y6Y7NJoszcDdcEdludcSnaTjQXMi5EvVMKSXxF7seDgMOwkG5t+eGlzTUH0
IDaUm419fT07RQF+/3c8BYb7J2bnhtxvYAY+DDJlXHCapSFu3pC92HfxD+rIZki2
/s93I4KczvK3Z8BhGKj8teglGNidMFM9VVzjMg0E7q/e4Qh0BCnJk40WqRKN4RFT
jl6UhcoYCQ8EV3qtDm8JCSv+/YKyCDqv3hU9KhWhr/b+TOpIFwmyF33l4+DTwnje
OiQFjllT3HNbpeRf4oOFy83gkKNiVv9ukehDLG4H/7TggRgjsYQ9Kl5iC9nAXn0X
hLtFaiAs/pUXDnzRtQ4UoWOsHnI0vyzdSyHQqCYv4hPwYOBkaAsn7c/RKO3nEaX0
4LhGCDW/pqRmB/T3FpJnYRxUAW8X4rPLO/Rv+vUg2o3z+wvLY9BZ0tjEtBCE9/0J
7Yn2KtY/9CgMC7+OcpOynuOJ4bpuA+DqBzaJUKY7RhgVJARq685Sdc7qE86p5qSX
ZFOF5v6/73k3mmrh6onZWMbiiV6bgXI8qOC7HcQXTXNFWg+7UynROOJR66WzJqh3
AcDvWW+DLjlbn9595dV8G3GGZ72NYxpijGZ/g/aBMSVoxyczp4TAR76lB8zFwlaw
EztHTcSrSLSRmg+/7SY5
=WsAF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Igal @ Lucee.org]

Hi Mark,

On 8/3/2017 11:05 AM, Mark Thomas wrote:

On 03/08/17 17:59, Igal @ Lucee.org wrote:


Too bad there are no video recordings of these presentations.  I'd love
to watch them and I'm sure that many users would as well. Unfortunately,
not everyone can attend the conventions due to one reason or another.

It was on the wish list but a sponsor didn't come forward to fund it.

Was it priced?  What would have been the cost for doing that?

I wonder if we can do an online fundraiser for that for next year. I 
will gladly contribute some money towards this initiative, and I'm sure 
that there are others like me.


Maybe even some business in the industry would sponsor the whole thing 
for a mention and/or link.


Alternatively, the MoSKito webinar that you just announced is very 
exciting.  Perhaps more webinars can be set up.


Thanks,

Igal Sapir
Lucee Core Developer
Lucee.org 

Re: This is weird: can't bind to 443

[Mark Thomas]

On 03/08/17 17:59, Igal @ Lucee.org wrote:
> On 8/3/2017, Christopher Schultz wrote:
>> For my money, I'd front Tomcat with something else, if only for
>> load-balancing and fail-over capabilities. If you have a reverse
>> proxy, the port number becomes irrelevant.
> +1
> 
>> http://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf
>> Start on slide 15 for pretty graphs.
>> I only recently started really playing-around with Tomcat and TLS,
>> mostly for my Let's Encrypt presentation at this year's ApacheCon.
> Too bad there are no video recordings of these presentations.  I'd love
> to watch them and I'm sure that many users would as well. Unfortunately,
> not everyone can attend the conventions due to one reason or another.

It was on the wish list but a sponsor didn't come forward to fund it.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Igal @ Lucee.org]

On 8/3/2017, Christopher Schultz wrote:

For my money, I'd front Tomcat with something else, if only for
load-balancing and fail-over capabilities. If you have a reverse
proxy, the port number becomes irrelevant.

+1


http://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf
Start on slide 15 for pretty graphs.
I only recently started really playing-around with Tomcat and TLS,
mostly for my Let's Encrypt presentation at this year's ApacheCon.
Too bad there are no video recordings of these presentations.  I'd love 
to watch them and I'm sure that many users would as well. Unfortunately, 
not everyone can attend the conventions due to one reason or another.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/3/17 9:56 AM, Mark H. Wood wrote:
> I'm always surprised that so little mention is made of the Commons 
> Daemon approach:
> 
> http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon
> 
> which, among other things, lets Tomcat get privileged ports the
> same way that HTTPD (like most other daemons) does: start
> privileged, acquire protected resources, drop privilege, run.
> 
> This *is* mentioned in RUNNING.txt, but somehow manages to be
> overlooked.

jsvc needs to be built on the target machine, etc. which adds another
layer of complexity (just like adding httpd would), which means that
you need a whole toolchain on the target box (or a similar box
elsewhere to build the library, then make sure you really have all the
dependencies)

For my money, I'd front Tomcat with something else, if only for
load-balancing and fail-over capabilities. If you have a reverse
proxy, the port number becomes irrelevant.

I only recently started really playing-around with Tomcat and TLS,
mostly for my Let's Encrypt presentation at this year's ApacheCon.

Given that I think a LB is appropriate, I've never bothered with TLS
and port number games on Tomcat[1].

- -chris

[1] ... although I *do* encrypt my AJP traffic between the web server
and Tomcat, using stunnel.
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZg1VXAAoJEBzwKT+lPKRYlnoQAJ+428KRAGpHe/3ZFo03DolN
xnPhBgnzUgpg1JiPLHdjAC87bXYBVLkTGU7+5RYmJK9QCLjaxly2LugCGmuAHXhj
6KyQzsDhVDqMHEqPKkiK2EZ0aSc7V5laCnzYHXJy2osUUpkv0x3axzhBGmbbv3Hj
XfMXvq9gfVoJ2MeGBRImQS2PGUD8QSjb8j/wWKSNOgQe6fLnG0ZdTXAW8BiSqFPF
hlsACN+Tg9n5sfDbXnEWMP3sAzsbM7Kr4B6MxjKiiXnhCyNkwAGCYqKnAPtlCh9v
Q9Nofh3SpPu3aDsTqcxiZIHRzMwXy2yM4EgD3h8Qnj/J3ZeX6OIp33M9ICW6+hcJ
0G6YGinMgnjJ2GtSpIFSS2oFrdEXmnbxeGGs/HgUJwOsA+ylFH52nNYV0ZBABnXz
BVs/G4MfM7+EVa9KM8NrTCPrZxPK8oHamrdVOoUcxt4Jk6G5JoUHw4w/GS5kBbyF
vBa0QP8ZvlqeUm2WebDa2p0rSI4QM1BKACOyP+fyCWXfJwpCd1VXSbB+IRPvqKZE
Z12Y8Leoa6QBwKjlqZjhP8qTgtHhOBTLxDEqlEupvSHPS4I2vgLMj2t52a9aANkw
E4952/C8xX89qu5x85tlWtPRFAZmuqj1EZLJ0moCV+iYVtb/3AxReIERUF9l4Ec6
Pf9H47i3vnE0BfWXGpf5
=earS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 8/2/17 11:54 PM, Caldarale, Charles R wrote:
>> From: Igal @ Lucee.org [mailto:i...@lucee.org] Subject: Re: This
>> is weird: can't bind to 443
> 
>> I agree about the "one more thing to go wrong", but fronting
>> Tomcat with a Web Server gives a performance hit?  I mean, sure,
>> now requests for Tomcat have another step to go through, but all
>> of the static resources (assuming there are static resources)
>> will supposedly be handled more efficiently by a web server, no?
> 
> Um, no.  A lot of work has gone into improving Tomcat performance
> over the past few years, to the point where it's largely on par
> with httpd.

+1

I looked, and unfortunately the slides jcflere and I did for AapcheCon
2014 are not posted anywhere. They contained lots of comparisons of
static-content load under various configurations and Tomcat keeps up
with httpd. When using TLS, use of OpenSSL is required because JSSE is
slow as a dog.

There are updated comparisons available from this past year where
jfclere compares OpenSSL performance through JSSE versus OpenSSL
through APR versus pure-Java JSSE. Unfortunately it does not include a
comparison against httpd, but https is essentially the same thing as
APR+OpenSSL in Tomcat.

http://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf

Start on slide 15 for pretty graphs.

> Put both in the mix (assuming you're not using httpd for other 
> reasons), and what you've mostly done is add latency.
+1

... especially if you need TLS behind the proxy as well as in front.

>> The added layer usually provides more security as well, provided
>> that the web server doesn't add new vulnerabilities, of course.
> 
> Pretty much all components have (undiscovered) vulnerabilities, so
> having more components actually increases the attack surface.
> 
>> I personally use nginx for SSL termination, which I find easier
>> than Tomcat, though it's been many years since I last tried to
>> setup Tomcat with https.
> 
> Now that Tomcat can use OpenSSL directly, it's easier than it used
> to be. That said, if you do have a front end to Tomcat, might as
> well do the SSL termination there to simplify things.

- -chris

-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZg1NTAAoJEBzwKT+lPKRYl+MP/Rc0erZaU4vDxzJJ2j+w30HX
4W4qwR/qoSFM/P5wsC7aRXC9qoHNHyHE4n19zZXVVSw0pmaBKwhCCxEXqupaA+mF
unJoGZXOayy/cWg5rxeqjHL7QBDu68+F0iSYLqd4iUWoLOp7fnOxpw4/ygbx5rme
pPVxsVJfR1oW8oCGbQBQ2+EjKgyWu0OEB/CCCMfUcDDr3L7hYd/A2MLQSAjYBkJv
EhAM35vX/fVSAmJyEbwUIwQXtObw48aNziGfw7gEdkak+kL8m3cir0cTEkoXF6si
K6rf7fM3SjYFa/gHgDU8zzn4sBr1mYbcDqxXzWLdqj9n5s1FI0EJaCb8uKzqRzmX
MhcyREZsJ8rLdzXxeYuIkXKJtxtqFwvvjzoZHCBLe+MlUryMuiMC5o6l6Mfm1fZG
Lal8R4rDuoHX+EHO/NBQ5rlutUtAkWvO0z4Rl/fqIn55Lah7qGjH10zuT9cKn1k6
h1QPquGVzqQxptx2FqyA0+8J/AKR/6HaZ/0UrDBDYCXEcxZPqbG0NMOp4S0dxCrd
5W5GPoFYA8GxpyNfHYCfhHmZRiC6gF9F6tt9Db5IDdJ90lHFBeyIsE5/cN9jhIo0
CAIS7jwPEVx+MEU00GlkkePWI285Tasp3obWW0w/obpcca5On3/d64UBbZxVhcv1
5isGNlAyaqOWnu9gus9B
=JlL6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Mark H. Wood]

I'm always surprised that so little mention is made of the Commons
Daemon approach:

  http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon

which, among other things, lets Tomcat get privileged ports the same
way that HTTPD (like most other daemons) does: start privileged,
acquire protected resources, drop privilege, run.

This *is* mentioned in RUNNING.txt, but somehow manages to be overlooked.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: PGP signature

RE: This is weird: can't bind to 443

[Caldarale, Charles R]

> From: Igal @ Lucee.org [mailto:i...@lucee.org] 
> Subject: Re: This is weird: can't bind to 443

> I agree about the "one more thing to go wrong", but fronting Tomcat with 
> a Web Server gives a performance hit?  I mean, sure, now requests for 
> Tomcat have another step to go through, but all of the static resources 
> (assuming there are static resources) will supposedly be handled more 
> efficiently by a web server, no?

Um, no.  A lot of work has gone into improving Tomcat performance over the
past few years, to the point where it's largely on par with httpd.  Put both
in the mix (assuming you're not using httpd for other reasons), and what
you've mostly done is add latency.

> The added layer usually provides more security as well, provided that the 
> web server doesn't add new vulnerabilities, of course.

Pretty much all components have (undiscovered) vulnerabilities, so having
more components actually increases the attack surface.

> I personally use nginx for SSL termination, which I find easier than 
> Tomcat, though it's been many years since I last tried to setup Tomcat 
> with https.

Now that Tomcat can use OpenSSL directly, it's easier than it used to be.
That said, if you do have a front end to Tomcat, might as well do the SSL
termination there to simplify things.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

Re: This is weird: can't bind to 443

[Igal @ Lucee.org]

Chris,

On 8/2/2017 3:10 PM, Christopher Schultz wrote:

On 8/2/17 3:13 PM, Igal @ Lucee.org wrote:

On 8/2/2017 11:48 AM, Caldarale, Charles R wrote:
I recommend fronting Tomcat with a web server like nginx or httpd,

This is an okay solution but it requires another component to be
installed/configured. Looks like James already has httpd installed, so
it's just a bit more configuration. It's one more thing to get wrong,
though, and it gives you a small performance hit.
I missed the part about having httpd already installed, you're right, 
but that whould only make it easier to set it up as a reverse proxy.


I agree about the "one more thing to go wrong", but fronting Tomcat with 
a Web Server gives a performance hit?  I mean, sure, now requests for 
Tomcat have another step to go through, but all of the static resources 
(assuming there are static resources) will supposedly be handled more 
efficiently by a web server, no?  The added layer usually provides more 
security as well, provided that the web server doesn't add new 
vulnerabilities, of course.


I personally use nginx for SSL termination, which I find easier than 
Tomcat, though it's been many years since I last tried to setup Tomcat 
with https.



but see also two solutions from
http://georgik.rocks/tomcat-7-listen-on-port-80-linux-debian/

1) have Tomcat listen on a higher port and redirect traffic from
port 80 to the higher port in iptables

This is an okay solution but it's ugly(ish) and highly undiscoverable.
I can't remember the last time I did a netstat and immediately thought
"hey, I wonder if any of those bound ports are being redirected by
iptables?"
Agreed, but I saw it in a couple of places when I googled "linux run 
tomcat on port 80" after James asked for elaboration.  I'm much more 
familiar with Windows than Linux (though am making the migration and 
actually setting up my first CentOS  production server), hence my 
original reply on this thread was short and with no details.



2) set `AUTHBIND=yes` om /etc/defaults/tomcat7

That needs to be /etc/default/tomcat[version]
I actually thought of editing that before posting, but since the OP 
mentioned tomcat 7 I decided not to do so.



I did a little digging into how this works because I was curious.
Obviously, it uses authbind. But that script automatically adds the
following file to /etc/authbind/byuid/[tomcat-uid]:

0.0.0.0/0:1,1023
::/0,1-1023

This allows the tomcat user to bind to ports between 1 and 1023 on
IPv4 and IPv6 addresses.

I would personally lock this down even further and enumerate the ports
you expect to use, but it's possible that the service runner (systemd
in this case) may clobber the permissions at some future point.
I was also wondering how it works, but was too busy to look it up. 
Thanks for sharing your findings.



Igal

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[James H. H. Lampert]

With a little futzing around, setting up 443 as an authbind-able port, 
and (as Christopher noted) correcting the spelling in the pathname, the 
AUTHBIND option worked perfectly.


Thanks for pointing me in the right direction. Now that I think about 
it, I don't think any of the Linux installations I'd previously done of 
Tomcat were on Port 443.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Igal,

On 8/2/17 3:13 PM, Igal @ Lucee.org wrote:
> On 8/2/2017 11:48 AM, Caldarale, Charles R wrote:
>>> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
>>> Subject: Re: This is weird: can't bind to 443
>>>> Binding on ports < 1024 on Linux require elevated
>>>> permissions, no?
>>> If so, somebody please elaborate.
>> That's a Linux restriction/feature - must be superuser to use the
>> low port numbers.
> 
> I recommend fronting Tomcat with a web server like nginx or httpd,

This is an okay solution but it requires another component to be
installed/configured. Looks like James already has httpd installed, so
it's just a bit more configuration. It's one more thing to get wrong,
though, and it gives you a small performance hit.

> but see also two solutions from 
> http://georgik.rocks/tomcat-7-listen-on-port-80-linux-debian/
> 
> 1) have Tomcat listen on a higher port and redirect traffic from
> port 80 to the higher port in iptables

This is an okay solution but it's ugly(ish) and highly undiscoverable.
I can't remember the last time I did a netstat and immediately thought
"hey, I wonder if any of those bound ports are being redirected by
iptables?"

> 2) set `AUTHBIND=yes` om /etc/defaults/tomcat7

That needs to be /etc/default/tomcat[version]

I did a little digging into how this works because I was curious.
Obviously, it uses authbind. But that script automatically adds the
following file to /etc/authbind/byuid/[tomcat-uid]:

0.0.0.0/0:1,1023
::/0,1-1023

This allows the tomcat user to bind to ports between 1 and 1023 on
IPv4 and IPv6 addresses.

I would personally lock this down even further and enumerate the ports
you expect to use, but it's possible that the service runner (systemd
in this case) may clobber the permissions at some future point.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZgk3JAAoJEBzwKT+lPKRYCAkQALfann5v+fOaXbHq6qCb2PXK
nXvvN8hte8f95Yd10G8J839VaI/3qoOH+vA3Y9aYUQJN8K4S0LNMwGove3zhnEvC
PAhEma+NB+Amh+MoWpzWrQ8DfdzGyiWa4HbV5PH+EkCp/GBXLjkP3eFYuw3KaSW8
BNG5ZjcoWmLZ2GbF/DtpzsZ+Lkw8cC1gj3t8cYIhCh3aMI7Tlz83MGiTt+7us2Wk
qttomqmfNloD5oMIBGu0ibNVYIbNArYW0NWxT1ro7lZqKcsLpC8Vk3iw31tvKwMw
idcJS5b1FGkR2uXwVBAQMJcpiko7YOIclL6gfv8mdHaZeP5iQwmf+mGveeDnhwu4
beUz/MGEUV/+A72wO3PTz98E53lzUskYCH10qUpUIjgEDTOI16njRQYdpx5tYT62
3igYDRMDO3djZGT9+NFthuD/9VbEVSjRMBLXnCpeRbtH/iKOaFP9gpgJYzuvw+dp
te/RJe1istOrz+vxRb5HTNCjTT2qzDd4QL3Wi/zaG/Jpqx+OCOvLH1AsXG8t9ulx
S02HXT/b13ltMbTbv3yDCVGgsOuPMonj5ViEx3fBei1idTscZcgZopEPibdM7is1
M/lHw395xfzkRfuA6nL54wPI5SFT/xlPLjmFmgoL6++jG7KetxlHrKIlBH3pmKwz
nUJv8g5LlqQjzzDdEiKO
=lU+b
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Igal @ Lucee.org]

On 8/2/2017 11:48 AM, Caldarale, Charles R wrote:

From: James H. H. Lampert [mailto:jam...@touchtonecorp.com]
Subject: Re: This is weird: can't bind to 443

Binding on ports < 1024 on Linux require elevated permissions, no?

If so, somebody please elaborate.

That's a Linux restriction/feature - must be superuser to use the low port
numbers.


I recommend fronting Tomcat with a web server like nginx or httpd, but 
see also two solutions from 
http://georgik.rocks/tomcat-7-listen-on-port-80-linux-debian/


1) have Tomcat listen on a higher port and redirect traffic from port 80 
to the higher port in iptables

2) set `AUTHBIND=yes` om /etc/defaults/tomcat7


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: This is weird: can't bind to 443

[Caldarale, Charles R]

> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: Re: This is weird: can't bind to 443

> > Binding on ports < 1024 on Linux require elevated permissions, no?

> If so, somebody please elaborate.

That's a Linux restriction/feature - must be superuser to use the low port
numbers.

> It currently seems to be running under a user called "tomcat7."

That's good.

> By contrast, the one we've got running on a local CentOS box runs under
root.

That's bad.

> The installation on the Google Debian instance was via an apt-get, and it
put 
> things in places other than where I was expecting them to be

That's a problem with all the 3rd-party repackaged versions of Tomcat.  Best
to use a real one from tomcat.apache.org.

> Any suggestions on what to do about it?

You should never run Tomcat under root - that means the webapps have full
control of the system.  Any webapp bugs open it up to hackers.  Take a look
at the FAQ for how to avoid that problem:

https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg
es.3F

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.


-Original Message-


--
JHHL

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



smime.p7s
Description: S/MIME cryptographic signature

Re: This is weird: can't bind to 443

[James H. H. Lampert]

On 8/2/17, 11:26 AM, Igal @ Lucee.org wrote:

On 8/2/2017 11:13 AM, James H. H. Lampert wrote:

I've just got finished moving a Tomcat instance's HTTPS connector from
8443 to 443, on a Google Compute Engine Debian instance (from
Bitnami's canned Trac image). Something I've done literally dozens of
times on AS/400s, along with the occasional WinDoze and Linux box.
Always without incident. Until now. I move it, do a "service tomcat7
restart," and the port doesn't open.

I already moved the Apache 2 server's HTTPS port to a different port
number, where it's working perfectly. There is nothing else listening
on 443, and Apache 2 and Tomcat are operating independently of each
other.


Binding on ports < 1024 on Linux require elevated permissions, no?


If so, somebody please elaborate.

It currently seems to be running under a user called "tomcat7." By 
contrast, the one we've got running on a local CentOS box runs under 
root. (The installation on the Google Debian instance was via an 
apt-get, and it put things in places other than where I was expecting 
them to be, so why should I be surprised that it runs under a different 
user than I was expecting?)


Any suggestions on what to do about it?

--
JHHL

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: This is weird: can't bind to 443

[Igal @ Lucee.org]

On 8/2/2017 11:13 AM, James H. H. Lampert wrote:
I've just got finished moving a Tomcat instance's HTTPS connector from 
8443 to 443, on a Google Compute Engine Debian instance (from 
Bitnami's canned Trac image). Something I've done literally dozens of 
times on AS/400s, along with the occasional WinDoze and Linux box. 
Always without incident. Until now. I move it, do a "service tomcat7 
restart," and the port doesn't open.


I already moved the Apache 2 server's HTTPS port to a different port 
number, where it's working perfectly. There is nothing else listening 
on 443, and Apache 2 and Tomcat are operating independently of each 
other.


Binding on ports < 1024 on Linux require elevated permissions, no?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

This is weird: can't bind to 443

[James H. H. Lampert]

I've just got finished moving a Tomcat instance's HTTPS connector from 
8443 to 443, on a Google Compute Engine Debian instance (from Bitnami's 
canned Trac image). Something I've done literally dozens of times on 
AS/400s, along with the occasional WinDoze and Linux box. Always without 
incident. Until now. I move it, do a "service tomcat7 restart," and the 
port doesn't open.


I already moved the Apache 2 server's HTTPS port to a different port 
number, where it's working perfectly. There is nothing else listening on 
443, and Apache 2 and Tomcat are operating independently of each other.


In catalina.out, I'm getting:

Aug 02, 2017 5:57:40 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-443"]
Aug 02, 2017 5:57:40 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler 
["http-bio-443"]
java.net.BindException: Permission denied (Bind failed) :443
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:646)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at 
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.net.BindException: Permission denied (Bind failed)
at java.net.PlainSocketImpl.socketBind(Native Method)
at 
java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:376)
at java.net.ServerSocket.bind(ServerSocket.java:376)
at java.net.ServerSocket.(ServerSocket.java:237)
at java.net.ServerSocket.(ServerSocket.java:181)
at javax.net.ssl.SSLServerSocket.(SSLServerSocket.java:136)
at 
sun.security.ssl.SSLServerSocketImpl.(SSLServerSocketImpl.java:107)
at 
sun.security.ssl.SSLServerSocketFactoryImpl.createServerSocket(SSLServerSocketFactoryImpl.java:84)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:188)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398)
... 17 more


followed by

Aug 02, 2017 5:57:40 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.net.BindException: Permission denied (Bind failed) :443
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411)
at