I'd like to run Glassfish v3 as a non-privileged user on Linux (Debian), but make it available on port 80. I'm currently doing this with iptables:
iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 80 -j REDIRECT --to-port 8080
This works, but I wonder:
- If this has any significant performance impact compared to binding directly to port 80
- If I could make a similar setup also work for HTTPS (or if that must run on 443)
- If there's a way to avoid other users from binding to port 8080 (in case my server crashes) - maybe block that port permanently to other users somehow?
...or if I should use authbind/privbind instead? Problem: I couldn't make it work with authbind or privbind so far.
For authbind, I edited asadmin's last line to:
exec authbind --deep "$JAVA" -Djava.net.preferIPv4Stack=true -jar ...
For privbind:
exec privbind -u glassfish "$JAVA" -Djava.net.preferIPv4Stack=true -jar ...
(Only) with these settings, I can successfully perform a create-domain --domainport 80. This proves, that authbind and privbind actually work (the authbind version of the script is called by the glassfish user; the privbind version is called by root of course). However, in both cases I get the following exception, when starting the domain (start-domain):
[#|2010-03-20T13:25:21.925+0100|SEVERE|glassfishv3.0|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=11;_ThreadName=FelixStartLevel;|Shutting down v3 due to startup exception : Permission denied: 80=com.sun.enterprise.v3.services.impl.monitor.MonitorableSelectorHandler@1fc25e5|#]
I haven't found a solution for that yet (after searching the web, it seems, that this isn't so easy?) But maybe, the solution with iptables is good enough - what do you think?
Thanks,
Chris
Note:
Putting an Apache in front isn't a good solution in my case - I plan on using Comet, and Comet works better without proxies.
I use NAT all the time in production. While it is more commonly used to translate between intranet and Internet, it can be perfectly acceptable to use it this way as well. I've done similar for an almost identical situation. With that being said, there are other options.
Application servers and Web servers often run together, as such it makes sense to keep Java on 8080 and 8443 internally. More often, people would probably use Apache as the proxy to translate certain requests to Java and serve static content from the Apache instance. I understand that you find this solution unacceptable to you but it must be said.
If this does not cover your questions, feel free to expound and I will iterate further.
Edit 1
You're welcome. NAT won't affect https' normal operation, it will work fine.
I can't imagine why you would be worried about other non-privileged users binding to 8080. Is there something unique to your situation?
Your privbind problem is probably a result of HOME set to root's. Either me or whoever will take ownership of privbind from me will try to fix it in the next version (now that there will be a next version...)
See if adding "HOME=~glassfish" at the start of the command line (assuming bourne derived shell) solves the problem (if it's still relevant: it has been four years since the question was asked, after all....)
Shachar