I never looked into jsvc. It sounds very interesting! To use a < 1024 port as a non-root user, I've always used iptables to redirect traffic to a higher-numbered port. When experimenting with iptables on a remote server, I actually like to schedule a reboot for 10 or 15 minutes, so that if I lock myself out, I can just wait a bit, then get back in without bothering anyone. But assuming that you are an iptables pro already, here's the critical part.
# Allow an inbound packet to initiate an HTTPS session $IPTABLES -A INPUT -p tcp -j ACCEPT --dport 443 -m state --state NEW $IPTABLES -A INPUT -p tcp -j ACCEPT --dport 8443 -m state --state NEW # Forward port 443 to 8443 where tomcat is listening as a non-root user # Redirect for both ethernet cards for consistency. $IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 I hope that helps. I have no idea about the pros and cons of iptables vs. jsvc for this. I just know we were using iptables for security already, so this was a convenient way around the "root < 1024 port" restriction. Oh, and I put these rules in an /etc/init.d startup script, with the proper dependencies, so that if the server is rebooted for some reason, the web server automatically starts up on reboot (after all its dependencies are satisfied). That's saved me a number of late-night headaches. On Thu, Nov 20, 2014 at 3:11 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Léa, > > On 11/20/14 1:21 PM, Léa Massiot wrote: >> Thank you for your answers. >> >> @MarkEggers Thank you very much for sharing. >> >>> Christopher Schultz wrote There are reasons to use jsvc, but the >>> ability to run as a non-root uses is not one of them. >> >> What are these reasons according to you (apart from running Tomcat >> as a daemon on Unix which was also one of my goals at the time)? > > Several I can think of without spending too much time: > > 1. (by a large margin) Allows access to ports < 1024 > 2. Automatic re-start of JVM process if the JVM exits > 3. Control JVM process by sending signal to parent process > 4. Enable rotation of stdout/stderr files > >> Also Excerpt from here: >> http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon >> "jsvc has other useful parameters, such as -user which causes it to >> switch to another user after the daemon initialization is complete. >> This allows, for example, running Tomcat as a non privileged user >> while still being able to use privileged ports." > > This is just a note about additional features, certainly not the > primary feature of jsvc. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUbkrZAAoJEBzwKT+lPKRYjFAP/195ZdVNNt3h8nsR1/p2N5Lo > 72pU7Zc15spYaQo3G7AfbvF/JMX4uAeR5nxHtvegU8YoIz+W8smb4MiipOfqFgn9 > CBr/+3hnu9kzsFkjMxj62mT8fPtdM/dYG6Er52aiSrjOCC62wPyOq7I4gf9RV8k/ > NmbkQugOrX1ZOyzGaHKSZODZHIGZSErW6jZQ8XC1K7AEjfez5enrAElkJ41h3MAx > 02NeCNvs9sub/HMk2PCSSXpV4zGj7sUehc2Q/cNqHnVSh55EnENwJUZqpaP/4t6G > rkNGYeEW31r1YTfTtDtCDTMz9bcVFWcbB8tJBXz+JaYtxI+xmcK9U4FBdKIZLDw5 > iF1IVJbAmbL6ANhnMBwlZEtwDtSfnDEpQCsVrTD7p/kbdW/wOnNpWzbJ14+bhBRi > wsK+kiYNk0dqMByu81Yfx1e1ISByXydu+M96CxxJi+zTBwcg4qSEUQke9nfW0HNF > YlgOVxPdHnjXHeid7xaTBjmqpFkwMSxguiaIvn6hO20aUo+jtOrz3YCNWIPC+Aih > Da1LLhNzjVtxparX1cmsh5Xp/KsSe1lRP3AWmBRVe69tpUxHYjtr/ag8a5Mw5YOz > Hd7Uc00irwWy/eewOJpDnVmLvnEhVwCSwJ8KQ4p3SyqLkyFSAlabic7A/4yRed/7 > sm+Kwyvimw/b7MjTL2Nr > =pYTG > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Glen K. Peterson (828) 393-0081 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
