[rhelv6-list] tomcat on priviliged port
Rainer Traut
tr.ml at gmx.de
Wed Sep 14 11:37:37 UTC 2011
Am 13.09.2011 13:30, schrieb Matthias Saou:
> Rainer Traut wrote :
>
>> I've looked around in docs.redhat.com but found nothing so far.
>> What's best practice to run standalone tomcat on port 443 without apache
>> in front?
>>
>> There are a couple of choices...
>> like run as root (bad) or iptables in front.
>> But which is the preferred 'redhat way'?
>
> Between the "good" and "bad" choices, I'm guessing it'll be up to you
> to decide. But a bit of common sense should make that easy :-)
>
> And you seem to already know the answer, but just in case :
> iptables -t nat -I PREROUTING 1 \
> -p tcp --dport 443 -j REDIRECT --to-ports $my_tomcat_port
> service iptables save
>
> This is common practice for just about any standalone tcp server which
> isn't started as root and needs to be accessed on a privileged port.
Thx to both of you for your answers.
I'm afraid the iptables cmd did not work... :)
Problem was - we are building a HA two node cluster with floating IP -
and the REDIRECT target "changes the destination IP to the primary
address of the incoming interface".
This was the case here, so we had to use the DNAT target like this:
-t nat -A PREROUTING -d $TOMCATIP -p tcp --dport 443 -j DNAT
--to-destination $TOMCATIP:TOMCATPORT
But works now, thx!
Rainer
More information about the rhelv6-list
mailing list