Cheers Nick, much clearer,
seems the simplest solution for me is the latter as only technical
users, I have already sorted the encryption so assigning it a high port
to avoid casual scans and accidental connections will be a two minute job.
many thanks..
david
Nick Couchman wrote:
On Wed, Jul 4, 2018 at 4:02 AM M D Barber <[email protected]
<mailto:[email protected]>> wrote:
I have read in the guacamole docs about tomcat not being able to
freely
de/elevate it's privileges as and when required
with regards to set tcp port and hence the need to consider using a
proxy such as apache or nginx,
Yes, Tomcat would have to be run as root to run on standard ports
(80/443, anything below 1024), which is bad. So, generally speaking
you want to run Tomcat as a non-privileged user and run it on a higher
port (8080 is standard, 8443 for Tomcat native SSL/TLS) and then use
some other means to redirect connections from the standard ports to
Tomcat. Using a reverse proxy server, like Nginx or httpd, is pretty
common practice.
It is worth noting that a recent change in the Linux kernel allows
non-privileged users to open lower ports with some sysctl settings,
but that's on really recent kernels.
�
for me this has
raised a couple of questions, that I can't find or am blind to :)
1. if this is a major issue and tomcat is considered a security risk
because of it, is it maybe justification to consider use of a
different
container?
No, I wouldn't say that Tomcat is a security risk - running Tomcat as
root is a security risk, and running unpatched versions of Tomcat or
Tomcat with unpatched versions of Java is a security risk, but recent
versions of Java with recent versions of Tomcat as a non-privileged
user should be fine. I believe most of the Java application servers
(Tomcat, Jetty, JBOSS, etc.) fall under the same restrictions, so
simply switching to a different Java application server doesn't
necessarily give you any advantage over Tomcat. Tomcat is very
widely-used for Java applications, and running it as an unprivileged
user behind a reverse-proxy is an acceptable practice.
�
2. If simply not running anything on standard ports and forcing
users to
enter the fqdn+port number at say, 5000 is this an issue for
guacamole or
has anyone come across any issues with tomcat?
This is perfectly acceptable, as well, and should work fine, it just
comes with a couple of things to be aware of:
- Tomcat, by default, does not have encryption enabled and listens on
unencrypted port 8080. You can set up the encrypted connector for
Tomcat and assign it a port, but it seems like most people just use a
reverse proxy, instead.
- One of the reasons to use standard ports is that people don't have
to remember the ports. 8080 has become pretty common, but 8443 for
encrypted traffic is less common, so it's a little harder for people
to remember that they need to do
https://server.example.local:8443/guacamole in order to get to the
page, rather than just https://server.example.local/guacamole.� If you
choose to run it on some other port (5000, for instance), that's even
less common and less usual for people, and they're more likely to
forget and have to ask you to remind them where they should go.
-Nick
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
