Skip to main content
summaryrefslogtreecommitdiffstats
path: root/documentation/current/setting-port80-access.html
blob: 10a59b6620f188d2f48438dfcfbfc78d697f280e (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

<html><head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <title>Setting Port 80 Access for a Non-Root User</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL-NS Stylesheets V1.76.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty : The Definitive Reference"><link rel="up" href="configuring-connectors.html" title="Chapter&nbsp;6.&nbsp;Configuring Jetty Connectors"><link rel="prev" href="configuring-ssl.html" title="Configuring SSL/TLS"><link rel="next" href="configuring-security.html" title="Chapter&nbsp;7.&nbsp;Configuring Security"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><script type="text/javascript" src="js/shCore.js"></script><script type="text/javascript" src="js/shBrushJava.js"></script><script type="text/javascript" src="js/shBrushXml.js"></script><script type="text/javascript" src="js/shBrushBash.js"></script><script type="text/javascript" src="js/shBrushJScript.js"></script><script type="text/javascript" src="js/shBrushSql.js"></script><script type="text/javascript" src="js/shBrushProperties.js"></script><script type="text/javascript" src="js/shBrushPlain.js"></script><link type="text/css" rel="stylesheet" href="css/shCore.css"><link type="text/css" rel="stylesheet" href="css/shThemeEclipse.css"><link type="text/css" rel="stylesheet" href="css/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
            Version: 9.3.1-SNAPSHOT</span></td><td style="width: 50%"><script type="text/javascript">  (function() {
            var cx = '016459005284625897022:obd4lsai2ds';
            var gcse = document.createElement('script');
            gcse.type = 'text/javascript';
            gcse.async = true;
            gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
            '//www.google.com/cse/cse.js?cx=' + cx;
            var s = document.getElementsByTagName('script')[0];
            s.parentNode.insertBefore(gcse, s);
            })();
          </script><gcse:search></gcse:search></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Setting Port 80 Access for a Non-Root User</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="icon-chevron-left"></i> Previous</a>&nbsp;</td><th width="60%" align="center">Chapter&nbsp;6.&nbsp;Configuring Jetty Connectors<br><a accesskey="p" href="index.html"><i class="icon-home"></i> Home</a></th><td width="20%" align="right">&nbsp;<a accesskey="n" href="configuring-security.html">Next <i class="icon-chevron-right"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
          <span class="website">www.webtide.com</span></a></h5><p>
 private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
 scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
      </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="setting-port80-access"></a>Setting Port 80 Access for a Non-Root User</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="setting-port80-access.html#using-ipchains">Using ipchains</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-iptables">Using iptables</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#configuring-jetty-setuid-feature">Configuring Jetty's SetUID Feature</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-solaris10-user-rights-management-framework">Using the Solaris 10 User Rights Management Framework</a></span></dt></dl></div><p>On Unix-based systems, port 80 is protected; typically only the
  superuser root can open it. For security reasons, it is not desirable to run
  the server as root. This page presents several options to access port 80 as
  a non-root user, including using ipchains, iptables, Jetty's SetUID feature,
  xinetd, and the Solaris 10 User Rights Management Framework.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-ipchains"></a>Using ipchains</h3></div></div></div><p>On some Linux systems you can use the <span class="emphasis"><em>ipchains
    REDIRECT</em></span> mechanism to redirect from one port to another inside
    the kernel (if ipchains is not available, then usually iptables
    is):</p><div class="screenexample"><pre class="screen"># /sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080</pre></div><p>This command instructs the system as follows: "Insert into the
    kernel's packet filtering the following as the first rule to check on
    incoming packets: if the protocol is TCP and the destination port is 80,
    redirect the packet to port 8080". Be aware that your kernel must be
    compiled with support for ipchains (virtually all stock kernels are). You
    must also have the ipchains command-line utility installed. You can run
    this command at any time, preferably just once, since it inserts another
    copy of the rule every time you run it.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-iptables"></a>Using iptables</h3></div></div></div><p>On many Linux systems you can use the iptables REDIRECT mechanism to
    redirect from one port to another inside the kernel (if iptables is not
    available, then usually ipchains is).</p><p>You need to add something like the following to the startup scripts
    or your firewall rules:</p><div class="screenexample"><pre class="screen"># /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080</pre></div><p>The underlying model of iptables is different from ipchains, so the
    forwarding normally happens only to packets originating off-box. You also
    need to allow incoming packets to port 8080 if you use iptables as a local
    firewall.</p><p>Be careful to place rules like this one early in your
    <span class="emphasis"><em>input</em></span> chain. Such rules must precede any rule that
    accepts the packet, otherwise the redirection won't occur. You can insert
    as many rules as required if your server needs to listen on multiple
    ports, as for HTTPS.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="configuring-jetty-setuid-feature"></a>Configuring Jetty's SetUID Feature</h3></div></div></div><p><a class="link" href="http://en.wikipedia.org/wiki/Setuid" target="_top">SetUID</a> is
    a technique that uses Unix-like file system access right to allow users to
    run an executable that would otherwise require higher privileges.</p><p>Jetty's SetUID module allows you to run Jetty as a normal user even
    when you need to run Jetty on port 80 or 443.</p><p>To use it with the jetty distribution:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Ensure that you have the http.mod (and <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS &amp; HTTP2">https.mod</a> if you are using
        SSL) <a class="link" href="startup-modules.html" title="Managing Startup Modules">modules enabled</a> for the
        <a class="link" href="quickstart-running-jetty.html#creating-jetty-base" title="Creating a new Jetty Base">base</a> you are using. The
        http.mod is enabled by default in the distribution, while the <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS &amp; HTTP2">https.mod</a> is only enabled
        in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a>
        directory.</p></li><li class="listitem"><p>Ensure that you have <a class="link" href="quickstart-running-jetty.html#quickstart-changing-jetty-port" title="Changing the Jetty Port">changed the http port</a>
        to 80 (and <a class="link" href="quickstart-running-jetty.html#quickstart-changing-https-port" title="Changing the Jetty HTTPS Port">changed the
        https port</a> to 443 if you are using SSL).</p></li><li class="listitem"><p>Enable the setuid.mod module:</p><div class="screenexample"><pre class="screen"># java -jar start.jar --add-to-start=setuid</pre></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="icon-asterisk"></i> Note</h3><p>The --add-to-start command will enable the setuid module for
            this and all subsequent executions of jetty. There are other ways
            to enable the module, such as just for this execution. For more
            information on the alternatives see the section on <a class="link" href="startup-modules.html" title="Managing Startup Modules">Managing Startup Modules</a>.</p></div></li><li class="listitem"><p>Edit the configuration for the setuid module to substitute the
        userid and groupid of the user to switch to after starting. If you
        used the <code class="code">--add-to-start</code> command, this configuration is in
        the <code class="code">start.ini</code> file. If you used the
        <code class="code">--add-to-startd</code> command instead, this configuration is in
        the <code class="code">start.d/setuid.ini </code>file instead. Here are the lines
        to configure:</p><div class="informalexample"><script type="syntaxhighlighter" class="brush: plain;toolbar: false">
          <![CDATA[jetty.startServerAsPrivileged=false
jetty.username=foo
jetty.groupname=bar
jetty.umask=002
]]>
        </script></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="icon-asterisk"></i> Note</h3><p>As well as opening the connectors as root, you can also have
            jetty start the Server as root before changing to the non-root
            user.</p></div></li><li class="listitem"><p>You now need a native code library to do the user switching.
        This code is hosted as part of the Jetty ToolChain project and it is
        released independently from Jetty itself. You can find the source code
        <a class="link" href="https://git.eclipse.org/c/jetty/org.eclipse.jetty.toolchain.git" target="_top">here</a>
        in the <a class="link" href="https://git.eclipse.org/c/jetty/org.eclipse.jetty.toolchain.git/tree/jetty-setuid" target="_top">jetty-setuid</a>
        project. Build it locally, which will produce a native library
        appropriate for the operating system:</p><div class="screenexample"><pre class="screen"># mvn clean install</pre></div><p>If you built on a linux
        machine you will find the native library in
        <code class="code">jetty-setuid/libsetuid-linux/target/libsetuid-linux.so</code>.
        If you built on a different operating system you will find the library
        in a different subdirectory, with the name containing the name of the
        operating system. You might like to copy this file into your jetty
        distribution's lib directory.</p></li><li class="listitem"><p>Start jetty as the root user in your base directory, providing
        the location of the native library to java. Here's an example of how
        to do it on the command line, assuming were are in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory:</p><div class="screenexample"><pre class="screen"># sudo java -Djava.library.path=libsetuid-linux -jar $JETTY_HOME/start.jar</pre></div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-solaris10-user-rights-management-framework"></a>Using the Solaris 10 User Rights Management Framework</h3></div></div></div><p>Solaris 10 provides a User Rights Management framework that can
    permit users and processes superuser-like abilities:</p><div class="screenexample"><pre class="screen">usermod -K defaultpriv=basic,net_privaddr myself</pre></div><p>Now the <code class="code">myself</code> user can bind to port 80.</p><p>Refer to the <a class="link" href="http://docs.oracle.com/cd/E23823_01/html/816-4557/prbactm-1.html#scrolltoc" target="_top">
    Solaris 10</a> and <a class="link" href="http://docs.oracle.com/cd/E23824_01/html/821-1456/prbactm-1.html#scrolltoc" target="_top">
    Solaris 11 Security Services documentation</a> for more
    information.</p></div></div><script type="text/javascript">
      SyntaxHighlighter.all()
    </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="icon-chevron-left"></i> Previous</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="configuring-connectors.html"><i class="icon-chevron-up"></i> Top</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="configuring-security.html">Next <i class="icon-chevron-right"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Configuring SSL/TLS&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="icon-home"></i> Home</a></td><td width="40%" align="right" valign="top">&nbsp;Chapter&nbsp;7.&nbsp;Configuring Security</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
            See an error or something missing?
            <span class="callout"><a href="http://github.com/jetty-project/jetty-documentation">Contribute to this documentation at
                <span class="website"><i class="icon-github"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2015-11-24T01:01:03+00:00)</i></span></div></p><script xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-1149868-7']);
  _gaq.push(['_trackPageview']);

  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();
    </script></body></html>

Back to the top