authbind, privbind or iptables REDIRECT (port 80 to 8080)?
- by chris_l
Hi,
I'd like to run Glassfish v3 as a non-privileged user on Linux (Debian), but make it available on port 80. I'm currently doing this with iptables:
iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 80 -j REDIRECT --to-port 8080
This works, but I wonder:
If this has any significant performance impact compared to binding directly to port 80
If I could make a similar setup also work for HTTPS (or if that must run on 443)
If there's a way to avoid other users from binding to port 8080 (in case my server crashes) - maybe block that port permanently to other users somehow?
...or if I should use authbind/privbind instead? Problem: I couldn't make it work with authbind or privbind so far.
For authbind, I edited asadmin's last line to:
exec authbind --deep "$JAVA" -Djava.net.preferIPv4Stack=true -jar ...
For privbind:
exec privbind -u glassfish "$JAVA" -Djava.net.preferIPv4Stack=true -jar ...
(Only) with these settings, I can successfully perform a create-domain --domainport 80. This proves, that authbind and privbind actually work (the authbind version of the script is called by the glassfish user; the privbind version is called by root of course). However, in both cases I get the following exception, when starting the domain (start-domain):
[#|2010-03-20T13:25:21.925+0100|SEVERE|glassfishv3.0|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=11;_ThreadName=FelixStartLevel;|Shutting down v3 due to startup exception : Permission denied: 80=com.sun.enterprise.v3.services.impl.monitor.MonitorableSelectorHandler@1fc25e5|#]
I haven't found a solution for that yet (after searching the web, it seems, that this isn't so easy?) But maybe, the solution with iptables is good enough - what do you think?
Thanks,
Chris
