On Wed, Jul 4, 2018 at 4:02 AM M D Barber <[email protected]> wrote: > I have read in the guacamole docs about tomcat not being able to freely > de/elevate it's privileges as and when required > with regards to set tcp port and hence the need to consider using a > proxy such as apache or nginx,
Yes, Tomcat would have to be run as root to run on standard ports (80/443, anything below 1024), which is bad. So, generally speaking you want to run Tomcat as a non-privileged user and run it on a higher port (8080 is standard, 8443 for Tomcat native SSL/TLS) and then use some other means to redirect connections from the standard ports to Tomcat. Using a reverse proxy server, like Nginx or httpd, is pretty common practice. It is worth noting that a recent change in the Linux kernel allows non-privileged users to open lower ports with some sysctl settings, but that's on really recent kernels. > for me this has > raised a couple of questions, that I can't find or am blind to :) > 1. if this is a major issue and tomcat is considered a security risk > because of it, is it maybe justification to consider use of a different > container? > No, I wouldn't say that Tomcat is a security risk - running Tomcat as root is a security risk, and running unpatched versions of Tomcat or Tomcat with unpatched versions of Java is a security risk, but recent versions of Java with recent versions of Tomcat as a non-privileged user should be fine. I believe most of the Java application servers (Tomcat, Jetty, JBOSS, etc.) fall under the same restrictions, so simply switching to a different Java application server doesn't necessarily give you any advantage over Tomcat. Tomcat is very widely-used for Java applications, and running it as an unprivileged user behind a reverse-proxy is an acceptable practice. > 2. If simply not running anything on standard ports and forcing users to > enter the fqdn+port number at say, 5000 is this an issue for guacamole or > has anyone come across any issues with tomcat? > > This is perfectly acceptable, as well, and should work fine, it just comes with a couple of things to be aware of: - Tomcat, by default, does not have encryption enabled and listens on unencrypted port 8080. You can set up the encrypted connector for Tomcat and assign it a port, but it seems like most people just use a reverse proxy, instead. - One of the reasons to use standard ports is that people don't have to remember the ports. 8080 has become pretty common, but 8443 for encrypted traffic is less common, so it's a little harder for people to remember that they need to do https://server.example.local:8443/guacamole in order to get to the page, rather than just https://server.example.local/guacamole. If you choose to run it on some other port (5000, for instance), that's even less common and less usual for people, and they're more likely to forget and have to ask you to remind them where they should go. -Nick
