authbind, privbind or iptables REDIRECT (port 80 to 8080)?

Posted by chris_l on Server Fault See other posts from Server Fault or by chris_l
Published on 2010-03-20T13:01:23Z Indexed on 2010/03/20 13:11 UTC
Read the original article Hit count: 644

Filed under:
|
|

Hi,

I'd like to run Glassfish v3 as a non-privileged user on Linux (Debian), but make it available on port 80. I'm currently doing this with iptables:

iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 80 -j REDIRECT --to-port 8080

This works, but I wonder:

  1. If this has any significant performance impact compared to binding directly to port 80
  2. If I could make a similar setup also work for HTTPS (or if that must run on 443)
  3. If there's a way to avoid other users from binding to port 8080 (in case my server crashes) - maybe block that port permanently to other users somehow?

...or if I should use authbind/privbind instead? Problem: I couldn't make it work with authbind or privbind so far.

For authbind, I edited asadmin's last line to:

exec authbind --deep "$JAVA" -Djava.net.preferIPv4Stack=true -jar ...

For privbind:

exec privbind -u glassfish "$JAVA" -Djava.net.preferIPv4Stack=true -jar ...

(Only) with these settings, I can successfully perform a create-domain --domainport 80. This proves, that authbind and privbind actually work (the authbind version of the script is called by the glassfish user; the privbind version is called by root of course). However, in both cases I get the following exception, when starting the domain (start-domain):

[#|2010-03-20T13:25:21.925+0100|SEVERE|glassfishv3.0|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=11;_ThreadName=FelixStartLevel;|Shutting down v3 due to startup exception : Permission denied: 80=com.sun.enterprise.v3.services.impl.monitor.MonitorableSelectorHandler@1fc25e5|#]

I haven't found a solution for that yet (after searching the web, it seems, that this isn't so easy?) But maybe, the solution with iptables is good enough - what do you think?

Thanks,

Chris

© Server Fault or respective owner

Related posts about authbind

Related posts about privbind