Message-ID: <406680968.2731.1369315828590.JavaMail.firstname.lastname@example.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_2730_1698385156.1369315828589" ------=_Part_2730_1698385156.1369315828589 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
On Unix based systems, port 80 is protected and can usually only be open=
ed by the superuser root. As it is not desirable to run the server as roo=
security reasons), the solution options are as follows:
The latter has traditionally been the solution, however Jetty 6.1 has ad= ded the new setuid feature.
If you are using Solaris 10, you may not need to use this feature, as So= laris provides a User Rights Management framework that can permit users and= processes superuser-like abilities. Please refer to the Solaris documentation for more information.
Create a jetty config file like so:
Where you replace:
For your convenience, you'll find one of these ready made in the $jetty.= home/extras/setuid/etc/jetty-setuid.xml.
Leave out the -shared argument.
You must ensure that the etc/jetty-setuid.xml file is f= irst in the list of config files.
On some Linux systems the ipchains REDIRECT mechanism can be used to red= irect from one port to another inside the kernel:
This basically means, "Insert into the kernel's packet filtering th= e following as the first rule to check on incoming packets: If the protocol= is TCP and the destination port is 80, redirect the packet to port 8080.&q= uot; Your kernel must be compiled with support for ipchains. (virtually all= stock kernels are.) You must have the "ipchains" command-line ut= ility installed. (On RedHat the package is aptly named "ipchains"= .) You can run this command at any time, preferably just once since it inse= rts another copy of the rule every time you run it.
Once this rule is set up, a Linux 2.2 kernel will redirect all data addr= essed to port 80 to a server such as Jetty running on port 8080.This includ= es all RedHat 6.x distros. Linux 2.4 kernels, e.g. RedHat 7.1+, have a simi= lar "iptables" facility.
You need to add something like the following to the startup scripts or y= our firewall rules:
The underlying model of iptables is different to that of ipchains so the= forwarding normally only happens to packets originating off-box. You will = also need to allow incoming packets to port 8080 if you use iptables as a l= ocal firewall.
Be careful to place rules like this one early in your "input" = chain. Such rules must precede any rule that would accept the packet, other= wise the redirection won't occur. You can insert as many rules as needed if= your server needs to listen on multiple ports, as for HTTPS.
On Solaris 10 (maybe earlier versions too) the OS allows you to grant pr= ivileged ports binding to "normal" users:
myself user will be able to bind to port 80.
With modern Linux flavours, inetd has a newer, better big brother xinetd= . I'm not going to get into detail about it, there are plenty of man pages = etc out there.
But the point is that you can use xinetd to redirect network traffic, an= d all you need is a text editor.
xinetd is driven by text files. Now there's 2 ways to give xinetd instr= uctions:
Take your pick, the format is the same, if you have a look at the file/d= irectory, you will get the picture.
The following entry will redirect all inward tcp traffic on port 80 to p=
ort 8888 on the local machine. Of course you can
redirect to other machines for gimp proxying:
type =3D UNLISTEDmeans that the name of the service do= es not have to be in
/etc/services, but you have to specify po= rt and protocol. If you want to do use an existing service name, e.g. http: =20 Have a browse in /etc/services and it will all become clear.
Xinetd is a hugely powerful and configurable system so expect to do some= reading.------=_Part_2730_1698385156.1369315828589--