This is weird: can't bind to 443

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

This is weird: can't bind to 443

James H. H. Lampert
I've just got finished moving a Tomcat instance's HTTPS connector from
8443 to 443, on a Google Compute Engine Debian instance (from Bitnami's
canned Trac image). Something I've done literally dozens of times on
AS/400s, along with the occasional WinDoze and Linux box. Always without
incident. Until now. I move it, do a "service tomcat7 restart," and the
port doesn't open.

I already moved the Apache 2 server's HTTPS port to a different port
number, where it's working perfectly. There is nothing else listening on
443, and Apache 2 and Tomcat are operating independently of each other.

In catalina.out, I'm getting:

> Aug 02, 2017 5:57:40 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-bio-443"]
> Aug 02, 2017 5:57:40 PM org.apache.coyote.AbstractProtocol init
> SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]
> java.net.BindException: Permission denied (Bind failed) <null>:443
>         at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411)
>         at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:646)
>         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
>         at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
>         at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
> Caused by: java.net.BindException: Permission denied (Bind failed)
>         at java.net.PlainSocketImpl.socketBind(Native Method)
>         at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:376)
>         at java.net.ServerSocket.bind(ServerSocket.java:376)
>         at java.net.ServerSocket.<init>(ServerSocket.java:237)
>         at java.net.ServerSocket.<init>(ServerSocket.java:181)
>         at javax.net.ssl.SSLServerSocket.<init>(SSLServerSocket.java:136)
>         at sun.security.ssl.SSLServerSocketImpl.<init>(SSLServerSocketImpl.java:107)
>         at sun.security.ssl.SSLServerSocketFactoryImpl.createServerSocket(SSLServerSocketFactoryImpl.java:84)
>         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:188)
>         at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398)
>         ... 17 more

followed by

> Aug 02, 2017 5:57:40 PM org.apache.catalina.core.StandardService initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
>         at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
>         at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
>         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         ... 12 more
> Caused by: java.net.BindException: Permission denied (Bind failed) <null>:443
>         at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411)
>         at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:646)
>         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
>         at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
>         at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
>         ... 13 more
> Caused by: java.net.BindException: Permission denied (Bind failed)
>         at java.net.PlainSocketImpl.socketBind(Native Method)
>         at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:376)
>         at java.net.ServerSocket.bind(ServerSocket.java:376)
>         at java.net.ServerSocket.<init>(ServerSocket.java:237)
>         at java.net.ServerSocket.<init>(ServerSocket.java:181)
>         at javax.net.ssl.SSLServerSocket.<init>(SSLServerSocket.java:136)
>         at sun.security.ssl.SSLServerSocketImpl.<init>(SSLServerSocketImpl.java:107)
>         at sun.security.ssl.SSLServerSocketFactoryImpl.createServerSocket(SSLServerSocketFactoryImpl.java:84)
>         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:188)
>         at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398)
>         ... 17 more

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Igal @ Lucee.org
On 8/2/2017 11:13 AM, James H. H. Lampert wrote:

> I've just got finished moving a Tomcat instance's HTTPS connector from
> 8443 to 443, on a Google Compute Engine Debian instance (from
> Bitnami's canned Trac image). Something I've done literally dozens of
> times on AS/400s, along with the occasional WinDoze and Linux box.
> Always without incident. Until now. I move it, do a "service tomcat7
> restart," and the port doesn't open.
>
> I already moved the Apache 2 server's HTTPS port to a different port
> number, where it's working perfectly. There is nothing else listening
> on 443, and Apache 2 and Tomcat are operating independently of each
> other.

Binding on ports < 1024 on Linux require elevated permissions, no?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

James H. H. Lampert
On 8/2/17, 11:26 AM, Igal @ Lucee.org wrote:

> On 8/2/2017 11:13 AM, James H. H. Lampert wrote:
>> I've just got finished moving a Tomcat instance's HTTPS connector from
>> 8443 to 443, on a Google Compute Engine Debian instance (from
>> Bitnami's canned Trac image). Something I've done literally dozens of
>> times on AS/400s, along with the occasional WinDoze and Linux box.
>> Always without incident. Until now. I move it, do a "service tomcat7
>> restart," and the port doesn't open.
>>
>> I already moved the Apache 2 server's HTTPS port to a different port
>> number, where it's working perfectly. There is nothing else listening
>> on 443, and Apache 2 and Tomcat are operating independently of each
>> other.
>
> Binding on ports < 1024 on Linux require elevated permissions, no?

If so, somebody please elaborate.

It currently seems to be running under a user called "tomcat7." By
contrast, the one we've got running on a local CentOS box runs under
root. (The installation on the Google Debian instance was via an
apt-get, and it put things in places other than where I was expecting
them to be, so why should I be surprised that it runs under a different
user than I was expecting?)

Any suggestions on what to do about it?

--
JHHL

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: This is weird: can't bind to 443

Caldarale, Charles R
> From: James H. H. Lampert [mailto:[hidden email]]
> Subject: Re: This is weird: can't bind to 443

> > Binding on ports < 1024 on Linux require elevated permissions, no?

> If so, somebody please elaborate.

That's a Linux restriction/feature - must be superuser to use the low port
numbers.

> It currently seems to be running under a user called "tomcat7."

That's good.

> By contrast, the one we've got running on a local CentOS box runs under
root.

That's bad.

> The installation on the Google Debian instance was via an apt-get, and it
put
> things in places other than where I was expecting them to be

That's a problem with all the 3rd-party repackaged versions of Tomcat.  Best
to use a real one from tomcat.apache.org.

> Any suggestions on what to do about it?

You should never run Tomcat under root - that means the webapps have full
control of the system.  Any webapp bugs open it up to hackers.  Take a look
at the FAQ for how to avoid that problem:

https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg
es.3F

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.


-----Original Message-----


--
JHHL

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


smime.p7s (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Igal @ Lucee.org
On 8/2/2017 11:48 AM, Caldarale, Charles R wrote:
>> From: James H. H. Lampert [mailto:[hidden email]]
>> Subject: Re: This is weird: can't bind to 443
>>> Binding on ports < 1024 on Linux require elevated permissions, no?
>> If so, somebody please elaborate.
> That's a Linux restriction/feature - must be superuser to use the low port
> numbers.

I recommend fronting Tomcat with a web server like nginx or httpd, but
see also two solutions from
http://georgik.rocks/tomcat-7-listen-on-port-80-linux-debian/

1) have Tomcat listen on a higher port and redirect traffic from port 80
to the higher port in iptables
2) set `AUTHBIND=yes` om /etc/defaults/tomcat7


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Igal,

On 8/2/17 3:13 PM, Igal @ Lucee.org wrote:

> On 8/2/2017 11:48 AM, Caldarale, Charles R wrote:
>>> From: James H. H. Lampert [mailto:[hidden email]]
>>> Subject: Re: This is weird: can't bind to 443
>>>> Binding on ports < 1024 on Linux require elevated
>>>> permissions, no?
>>> If so, somebody please elaborate.
>> That's a Linux restriction/feature - must be superuser to use the
>> low port numbers.
>
> I recommend fronting Tomcat with a web server like nginx or httpd,

This is an okay solution but it requires another component to be
installed/configured. Looks like James already has httpd installed, so
it's just a bit more configuration. It's one more thing to get wrong,
though, and it gives you a small performance hit.

> but see also two solutions from
> http://georgik.rocks/tomcat-7-listen-on-port-80-linux-debian/
>
> 1) have Tomcat listen on a higher port and redirect traffic from
> port 80 to the higher port in iptables

This is an okay solution but it's ugly(ish) and highly undiscoverable.
I can't remember the last time I did a netstat and immediately thought
"hey, I wonder if any of those bound ports are being redirected by
iptables?"

> 2) set `AUTHBIND=yes` om /etc/defaults/tomcat7

That needs to be /etc/default/tomcat[version]

I did a little digging into how this works because I was curious.
Obviously, it uses authbind. But that script automatically adds the
following file to /etc/authbind/byuid/[tomcat-uid]:

0.0.0.0/0:1,1023
::/0,1-1023

This allows the tomcat user to bind to ports between 1 and 1023 on
IPv4 and IPv6 addresses.

I would personally lock this down even further and enumerate the ports
you expect to use, but it's possible that the service runner (systemd
in this case) may clobber the permissions at some future point.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZgk3JAAoJEBzwKT+lPKRYCAkQALfann5v+fOaXbHq6qCb2PXK
nXvvN8hte8f95Yd10G8J839VaI/3qoOH+vA3Y9aYUQJN8K4S0LNMwGove3zhnEvC
PAhEma+NB+Amh+MoWpzWrQ8DfdzGyiWa4HbV5PH+EkCp/GBXLjkP3eFYuw3KaSW8
BNG5ZjcoWmLZ2GbF/DtpzsZ+Lkw8cC1gj3t8cYIhCh3aMI7Tlz83MGiTt+7us2Wk
qttomqmfNloD5oMIBGu0ibNVYIbNArYW0NWxT1ro7lZqKcsLpC8Vk3iw31tvKwMw
idcJS5b1FGkR2uXwVBAQMJcpiko7YOIclL6gfv8mdHaZeP5iQwmf+mGveeDnhwu4
beUz/MGEUV/+A72wO3PTz98E53lzUskYCH10qUpUIjgEDTOI16njRQYdpx5tYT62
3igYDRMDO3djZGT9+NFthuD/9VbEVSjRMBLXnCpeRbtH/iKOaFP9gpgJYzuvw+dp
te/RJe1istOrz+vxRb5HTNCjTT2qzDd4QL3Wi/zaG/Jpqx+OCOvLH1AsXG8t9ulx
S02HXT/b13ltMbTbv3yDCVGgsOuPMonj5ViEx3fBei1idTscZcgZopEPibdM7is1
M/lHw395xfzkRfuA6nL54wPI5SFT/xlPLjmFmgoL6++jG7KetxlHrKIlBH3pmKwz
nUJv8g5LlqQjzzDdEiKO
=lU+b
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

James H. H. Lampert
With a little futzing around, setting up 443 as an authbind-able port,
and (as Christopher noted) correcting the spelling in the pathname, the
AUTHBIND option worked perfectly.

Thanks for pointing me in the right direction. Now that I think about
it, I don't think any of the Linux installations I'd previously done of
Tomcat were on Port 443.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Igal @ Lucee.org
In reply to this post by Christopher Schultz-2
Chris,

On 8/2/2017 3:10 PM, Christopher Schultz wrote:
> On 8/2/17 3:13 PM, Igal @ Lucee.org wrote:
>> On 8/2/2017 11:48 AM, Caldarale, Charles R wrote:
>> I recommend fronting Tomcat with a web server like nginx or httpd,
> This is an okay solution but it requires another component to be
> installed/configured. Looks like James already has httpd installed, so
> it's just a bit more configuration. It's one more thing to get wrong,
> though, and it gives you a small performance hit.
I missed the part about having httpd already installed, you're right,
but that whould only make it easier to set it up as a reverse proxy.

I agree about the "one more thing to go wrong", but fronting Tomcat with
a Web Server gives a performance hit?  I mean, sure, now requests for
Tomcat have another step to go through, but all of the static resources
(assuming there are static resources) will supposedly be handled more
efficiently by a web server, no?  The added layer usually provides more
security as well, provided that the web server doesn't add new
vulnerabilities, of course.

I personally use nginx for SSL termination, which I find easier than
Tomcat, though it's been many years since I last tried to setup Tomcat
with https.

>> but see also two solutions from
>> http://georgik.rocks/tomcat-7-listen-on-port-80-linux-debian/
>>
>> 1) have Tomcat listen on a higher port and redirect traffic from
>> port 80 to the higher port in iptables
> This is an okay solution but it's ugly(ish) and highly undiscoverable.
> I can't remember the last time I did a netstat and immediately thought
> "hey, I wonder if any of those bound ports are being redirected by
> iptables?"
Agreed, but I saw it in a couple of places when I googled "linux run
tomcat on port 80" after James asked for elaboration.  I'm much more
familiar with Windows than Linux (though am making the migration and
actually setting up my first CentOS  production server), hence my
original reply on this thread was short and with no details.

>> 2) set `AUTHBIND=yes` om /etc/defaults/tomcat7
> That needs to be /etc/default/tomcat[version]
I actually thought of editing that before posting, but since the OP
mentioned tomcat 7 I decided not to do so.

> I did a little digging into how this works because I was curious.
> Obviously, it uses authbind. But that script automatically adds the
> following file to /etc/authbind/byuid/[tomcat-uid]:
>
> 0.0.0.0/0:1,1023
> ::/0,1-1023
>
> This allows the tomcat user to bind to ports between 1 and 1023 on
> IPv4 and IPv6 addresses.
>
> I would personally lock this down even further and enumerate the ports
> you expect to use, but it's possible that the service runner (systemd
> in this case) may clobber the permissions at some future point.
I was also wondering how it works, but was too busy to look it up.
Thanks for sharing your findings.


Igal

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: This is weird: can't bind to 443

Caldarale, Charles R
> From: Igal @ Lucee.org [mailto:[hidden email]]
> Subject: Re: This is weird: can't bind to 443

> I agree about the "one more thing to go wrong", but fronting Tomcat with
> a Web Server gives a performance hit?  I mean, sure, now requests for
> Tomcat have another step to go through, but all of the static resources
> (assuming there are static resources) will supposedly be handled more
> efficiently by a web server, no?

Um, no.  A lot of work has gone into improving Tomcat performance over the
past few years, to the point where it's largely on par with httpd.  Put both
in the mix (assuming you're not using httpd for other reasons), and what
you've mostly done is add latency.

> The added layer usually provides more security as well, provided that the
> web server doesn't add new vulnerabilities, of course.

Pretty much all components have (undiscovered) vulnerabilities, so having
more components actually increases the attack surface.

> I personally use nginx for SSL termination, which I find easier than
> Tomcat, though it's been many years since I last tried to setup Tomcat
> with https.

Now that Tomcat can use OpenSSL directly, it's easier than it used to be.
That said, if you do have a front end to Tomcat, might as well do the SSL
termination there to simplify things.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.


smime.p7s (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Mark H. Wood
In reply to this post by Christopher Schultz-2
I'm always surprised that so little mention is made of the Commons
Daemon approach:

  http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon

which, among other things, lets Tomcat get privileged ports the same
way that HTTPD (like most other daemons) does: start privileged,
acquire protected resources, drop privilege, run.

This *is* mentioned in RUNNING.txt, but somehow manages to be overlooked.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Christopher Schultz-2
In reply to this post by Caldarale, Charles R
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chuck,

On 8/2/17 11:54 PM, Caldarale, Charles R wrote:

>> From: Igal @ Lucee.org [mailto:[hidden email]] Subject: Re: This
>> is weird: can't bind to 443
>
>> I agree about the "one more thing to go wrong", but fronting
>> Tomcat with a Web Server gives a performance hit?  I mean, sure,
>> now requests for Tomcat have another step to go through, but all
>> of the static resources (assuming there are static resources)
>> will supposedly be handled more efficiently by a web server, no?
>
> Um, no.  A lot of work has gone into improving Tomcat performance
> over the past few years, to the point where it's largely on par
> with httpd.

+1

I looked, and unfortunately the slides jcflere and I did for AapcheCon
2014 are not posted anywhere. They contained lots of comparisons of
static-content load under various configurations and Tomcat keeps up
with httpd. When using TLS, use of OpenSSL is required because JSSE is
slow as a dog.

There are updated comparisons available from this past year where
jfclere compares OpenSSL performance through JSSE versus OpenSSL
through APR versus pure-Java JSSE. Unfortunately it does not include a
comparison against httpd, but https is essentially the same thing as
APR+OpenSSL in Tomcat.

http://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf

Start on slide 15 for pretty graphs.

> Put both in the mix (assuming you're not using httpd for other
> reasons), and what you've mostly done is add latency.
+1

... especially if you need TLS behind the proxy as well as in front.

>> The added layer usually provides more security as well, provided
>> that the web server doesn't add new vulnerabilities, of course.
>
> Pretty much all components have (undiscovered) vulnerabilities, so
> having more components actually increases the attack surface.
>
>> I personally use nginx for SSL termination, which I find easier
>> than Tomcat, though it's been many years since I last tried to
>> setup Tomcat with https.
>
> Now that Tomcat can use OpenSSL directly, it's easier than it used
> to be. That said, if you do have a front end to Tomcat, might as
> well do the SSL termination there to simplify things.

- -chris

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZg1NTAAoJEBzwKT+lPKRYl+MP/Rc0erZaU4vDxzJJ2j+w30HX
4W4qwR/qoSFM/P5wsC7aRXC9qoHNHyHE4n19zZXVVSw0pmaBKwhCCxEXqupaA+mF
unJoGZXOayy/cWg5rxeqjHL7QBDu68+F0iSYLqd4iUWoLOp7fnOxpw4/ygbx5rme
pPVxsVJfR1oW8oCGbQBQ2+EjKgyWu0OEB/CCCMfUcDDr3L7hYd/A2MLQSAjYBkJv
EhAM35vX/fVSAmJyEbwUIwQXtObw48aNziGfw7gEdkak+kL8m3cir0cTEkoXF6si
K6rf7fM3SjYFa/gHgDU8zzn4sBr1mYbcDqxXzWLdqj9n5s1FI0EJaCb8uKzqRzmX
MhcyREZsJ8rLdzXxeYuIkXKJtxtqFwvvjzoZHCBLe+MlUryMuiMC5o6l6Mfm1fZG
Lal8R4rDuoHX+EHO/NBQ5rlutUtAkWvO0z4Rl/fqIn55Lah7qGjH10zuT9cKn1k6
h1QPquGVzqQxptx2FqyA0+8J/AKR/6HaZ/0UrDBDYCXEcxZPqbG0NMOp4S0dxCrd
5W5GPoFYA8GxpyNfHYCfhHmZRiC6gF9F6tt9Db5IDdJ90lHFBeyIsE5/cN9jhIo0
CAIS7jwPEVx+MEU00GlkkePWI285Tasp3obWW0w/obpcca5On3/d64UBbZxVhcv1
5isGNlAyaqOWnu9gus9B
=JlL6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Christopher Schultz-2
In reply to this post by Mark H. Wood
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 8/3/17 9:56 AM, Mark H. Wood wrote:

> I'm always surprised that so little mention is made of the Commons
> Daemon approach:
>
> http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon
>
> which, among other things, lets Tomcat get privileged ports the
> same way that HTTPD (like most other daemons) does: start
> privileged, acquire protected resources, drop privilege, run.
>
> This *is* mentioned in RUNNING.txt, but somehow manages to be
> overlooked.

jsvc needs to be built on the target machine, etc. which adds another
layer of complexity (just like adding httpd would), which means that
you need a whole toolchain on the target box (or a similar box
elsewhere to build the library, then make sure you really have all the
dependencies)

For my money, I'd front Tomcat with something else, if only for
load-balancing and fail-over capabilities. If you have a reverse
proxy, the port number becomes irrelevant.

I only recently started really playing-around with Tomcat and TLS,
mostly for my Let's Encrypt presentation at this year's ApacheCon.

Given that I think a LB is appropriate, I've never bothered with TLS
and port number games on Tomcat[1].

- -chris

[1] ... although I *do* encrypt my AJP traffic between the web server
and Tomcat, using stunnel.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZg1VXAAoJEBzwKT+lPKRYlnoQAJ+428KRAGpHe/3ZFo03DolN
xnPhBgnzUgpg1JiPLHdjAC87bXYBVLkTGU7+5RYmJK9QCLjaxly2LugCGmuAHXhj
6KyQzsDhVDqMHEqPKkiK2EZ0aSc7V5laCnzYHXJy2osUUpkv0x3axzhBGmbbv3Hj
XfMXvq9gfVoJ2MeGBRImQS2PGUD8QSjb8j/wWKSNOgQe6fLnG0ZdTXAW8BiSqFPF
hlsACN+Tg9n5sfDbXnEWMP3sAzsbM7Kr4B6MxjKiiXnhCyNkwAGCYqKnAPtlCh9v
Q9Nofh3SpPu3aDsTqcxiZIHRzMwXy2yM4EgD3h8Qnj/J3ZeX6OIp33M9ICW6+hcJ
0G6YGinMgnjJ2GtSpIFSS2oFrdEXmnbxeGGs/HgUJwOsA+ylFH52nNYV0ZBABnXz
BVs/G4MfM7+EVa9KM8NrTCPrZxPK8oHamrdVOoUcxt4Jk6G5JoUHw4w/GS5kBbyF
vBa0QP8ZvlqeUm2WebDa2p0rSI4QM1BKACOyP+fyCWXfJwpCd1VXSbB+IRPvqKZE
Z12Y8Leoa6QBwKjlqZjhP8qTgtHhOBTLxDEqlEupvSHPS4I2vgLMj2t52a9aANkw
E4952/C8xX89qu5x85tlWtPRFAZmuqj1EZLJ0moCV+iYVtb/3AxReIERUF9l4Ec6
Pf9H47i3vnE0BfWXGpf5
=earS
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Igal @ Lucee.org
In reply to this post by Christopher Schultz-2
On 8/3/2017, Christopher Schultz wrote:
> For my money, I'd front Tomcat with something else, if only for
> load-balancing and fail-over capabilities. If you have a reverse
> proxy, the port number becomes irrelevant.
+1

> http://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf
> Start on slide 15 for pretty graphs.
> I only recently started really playing-around with Tomcat and TLS,
> mostly for my Let's Encrypt presentation at this year's ApacheCon.
Too bad there are no video recordings of these presentations.  I'd love
to watch them and I'm sure that many users would as well. Unfortunately,
not everyone can attend the conventions due to one reason or another.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

markt
On 03/08/17 17:59, Igal @ Lucee.org wrote:

> On 8/3/2017, Christopher Schultz wrote:
>> For my money, I'd front Tomcat with something else, if only for
>> load-balancing and fail-over capabilities. If you have a reverse
>> proxy, the port number becomes irrelevant.
> +1
>
>> http://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf
>> Start on slide 15 for pretty graphs.
>> I only recently started really playing-around with Tomcat and TLS,
>> mostly for my Let's Encrypt presentation at this year's ApacheCon.
> Too bad there are no video recordings of these presentations.  I'd love
> to watch them and I'm sure that many users would as well. Unfortunately,
> not everyone can attend the conventions due to one reason or another.

It was on the wish list but a sponsor didn't come forward to fund it.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Igal @ Lucee.org
Hi Mark,

On 8/3/2017 11:05 AM, Mark Thomas wrote:
> On 03/08/17 17:59, Igal @ Lucee.org wrote:
>>
>> Too bad there are no video recordings of these presentations.  I'd love
>> to watch them and I'm sure that many users would as well. Unfortunately,
>> not everyone can attend the conventions due to one reason or another.
> It was on the wish list but a sponsor didn't come forward to fund it.
Was it priced?  What would have been the cost for doing that?

I wonder if we can do an online fundraiser for that for next year. I
will gladly contribute some money towards this initiative, and I'm sure
that there are others like me.

Maybe even some business in the industry would sponsor the whole thing
for a mention and/or link.

Alternatively, the MoSKito webinar that you just announced is very
exciting.  Perhaps more webinars can be set up.

Thanks,

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Igal,

On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:

> Hi Mark,
>
> On 8/3/2017 11:05 AM, Mark Thomas wrote:
>> On 03/08/17 17:59, Igal @ Lucee.org wrote:
>>>
>>> Too bad there are no video recordings of these presentations.
>>> I'd love to watch them and I'm sure that many users would as
>>> well. Unfortunately, not everyone can attend the conventions
>>> due to one reason or another.
>> It was on the wish list but a sponsor didn't come forward to fund
>> it.
>
> Was it priced?  What would have been the cost for doing that?

The cost was $3000/room/day (as quoted to me by Shane Curcuru -- I
asked because I was curious at the time). TomcatCon had one day of
recordings care of our sponsor, Comcast. Other parts of the conference
had recordings as well.

> I wonder if we can do an online fundraiser for that for next year.
> I will gladly contribute some money towards this initiative, and
> I'm sure that there are others like me.

I'm sure the ASF would accept a donation of that type.

> Maybe even some business in the industry would sponsor the whole
> thing for a mention and/or link.

They do, but don't always want to pay for every single room for every
single day.

> Alternatively, the MoSKito webinar that you just announced is very
> exciting.  Perhaps more webinars can be set up.

We just need people to author them and perform. :)

Contributions welcome!

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZg23oAAoJEBzwKT+lPKRYYtYP/i1TONoiOnufwHNU7sUDKySl
SoJr/Y6Y7NJoszcDdcEdludcSnaTjQXMi5EvVMKSXxF7seDgMOwkG5t+eGlzTUH0
IDaUm419fT07RQF+/3c8BYb7J2bnhtxvYAY+DDJlXHCapSFu3pC92HfxD+rIZki2
/s93I4KczvK3Z8BhGKj8teglGNidMFM9VVzjMg0E7q/e4Qh0BCnJk40WqRKN4RFT
jl6UhcoYCQ8EV3qtDm8JCSv+/YKyCDqv3hU9KhWhr/b+TOpIFwmyF33l4+DTwnje
OiQFjllT3HNbpeRf4oOFy83gkKNiVv9ukehDLG4H/7TggRgjsYQ9Kl5iC9nAXn0X
hLtFaiAs/pUXDnzRtQ4UoWOsHnI0vyzdSyHQqCYv4hPwYOBkaAsn7c/RKO3nEaX0
4LhGCDW/pqRmB/T3FpJnYRxUAW8X4rPLO/Rv+vUg2o3z+wvLY9BZ0tjEtBCE9/0J
7Yn2KtY/9CgMC7+OcpOynuOJ4bpuA+DqBzaJUKY7RhgVJARq685Sdc7qE86p5qSX
ZFOF5v6/73k3mmrh6onZWMbiiV6bgXI8qOC7HcQXTXNFWg+7UynROOJR66WzJqh3
AcDvWW+DLjlbn9595dV8G3GGZ72NYxpijGZ/g/aBMSVoxyczp4TAR76lB8zFwlaw
EztHTcSrSLSRmg+/7SY5
=WsAF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Igal @ Lucee.org
Hi Chris,

On 8/3/2017 11:39 AM, Christopher Schultz wrote:
> On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:
>> Was it priced? What would have been the cost for doing that?
> The cost was $3000/room/day (as quoted to me by Shane Curcuru -- I
> asked because I was curious at the time).
Thanks for the info.

> TomcatCon had one day of
> recordings care of our sponsor, Comcast. Other parts of the conference
> had recordings as well.
Are those recordings available?  I'm specifically interested in the
Tomcat ones.

>
> I'm sure the ASF would accept a donation of that type.
That's good to know.  Perhaps we can arrange something for next year.  I
looked right now on the site and found information about an event in
London.  I didn't see anything in the mailing list here, but I posted
about it to the Lucee group at
https://dev.lucee.org/t/tomcatcon-in-london-september-26th-2017/2647 in
case anyone is in the area and wants to attend.

>
> They do, but don't always want to pay for every single room for every
> single day.
That makes sense.  I wonder what kind of exposure they get though. Can
they put their name in the intro or outro of the videos?  A link to
their site?


>> Alternatively, the MoSKito webinar that you just announced is very
>> exciting.  Perhaps more webinars can be set up.
> We just need people to author them and perform. :)
>
> Contributions welcome!
Sure, but those people need to have certain skills and expertise in
Tomcat or very related technologies.

I, for example, can do one for rapid web application development with
Lucee, which allows a much faster development than JSP or JSF for
example.  I'm not sure if the Tomcat channel is the best for that
(though we do use Tomcat as the servlet container).

For Tomcat- expert advice I usually refer to you or to Mark ;)

Best,

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

markt
On 03/08/17 20:11, Igal @ Lucee.org wrote:

> Hi Chris,
>
> On 8/3/2017 11:39 AM, Christopher Schultz wrote:
>> On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:
>>> Was it priced? What would have been the cost for doing that?
>> The cost was $3000/room/day (as quoted to me by Shane Curcuru -- I
>> asked because I was curious at the time).
> Thanks for the info.
>
>> TomcatCon had one day of
>> recordings care of our sponsor, Comcast. Other parts of the conference
>> had recordings as well.
> Are those recordings available?  I'm specifically interested in the
> Tomcat ones.
>
>>
>> I'm sure the ASF would accept a donation of that type.
> That's good to know.  Perhaps we can arrange something for next year.  I
> looked right now on the site and found information about an event in
> London.  I didn't see anything in the mailing list here, but I posted
> about it to the Lucee group at
> https://dev.lucee.org/t/tomcatcon-in-london-september-26th-2017/2647 in
> case anyone is in the area and wants to attend.

That event is still in the planning stage. The plan is to go public once
we have enough of the details finalised (hopefully early next week).

Mark


>> They do, but don't always want to pay for every single room for every
>> single day.
> That makes sense.  I wonder what kind of exposure they get though. Can
> they put their name in the intro or outro of the videos?  A link to
> their site?
>
>
>>> Alternatively, the MoSKito webinar that you just announced is very
>>> exciting.  Perhaps more webinars can be set up.
>> We just need people to author them and perform. :)
>>
>> Contributions welcome!
> Sure, but those people need to have certain skills and expertise in
> Tomcat or very related technologies.
>
> I, for example, can do one for rapid web application development with
> Lucee, which allows a much faster development than JSP or JSF for
> example.  I'm not sure if the Tomcat channel is the best for that
> (though we do use Tomcat as the servlet container).
>
> For Tomcat- expert advice I usually refer to you or to Mark ;)
>
> Best,
>
> Igal Sapir
> Lucee Core Developer
> Lucee.org <http://lucee.org/>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Christopher Schultz-2
In reply to this post by Igal @ Lucee.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Igal,

On 8/3/17 3:11 PM, Igal @ Lucee.org wrote:

> Hi Chris,
>
> On 8/3/2017 11:39 AM, Christopher Schultz wrote:
>> On 8/3/17 2:22 PM, Igal @ Lucee.org wrote:
>>> Was it priced? What would have been the cost for doing that?
>> The cost was $3000/room/day (as quoted to me by Shane Curcuru --
>> I asked because I was curious at the time).
> Thanks for the info.
>
>> TomcatCon had one day of recordings care of our sponsor, Comcast.
>> Other parts of the conference had recordings as well.
>
> Are those recordings available?  I'm specifically interested in
> the Tomcat ones.

Yes, they are available on YouTube. For some reason, nobody has
bothered to link them to the ASF's YouTube channel... they are a
"playlist" for ApacheCon 2017 - Miami:
https://www.youtube.com/playlist?list=PLbzoR-pLrL6pLDCyPxByWQwYTL-JrF5Rp

All of the Tomcat-related ones are already linked from the "TomcatCon
2017" section of our Presentations page:
http://tomcat.apache.org/presentations.html

The ApacheCon YouTube playlist has a bunch of non-Tomcat-related
videos as well, of course.

>> They do, but don't always want to pay for every single room for
>> every single day.
>
> That makes sense.  I wonder what kind of exposure they get though.
> Can they put their name in the intro or outro of the videos?  A
> link to their site?

All sponsorships are handled at the ApacheCon level, and usually end
up being names+logos on all of the signs, etc. at the conference. Plus
obviously listed on all conference-related web pages, etc. (e.g.
http://events.linuxfoundation.org/events/apachecon-north-america and
scroll toward the bottom of the page).

>>> Alternatively, the MoSKito webinar that you just announced is
>>> very exciting.  Perhaps more webinars can be set up.
>> We just need people to author them and perform. :)
>>
>> Contributions welcome!
>
> Sure, but those people need to have certain skills and expertise
> in Tomcat or very related technologies.

Like Lucee, for instance? Leon's talk, which is quite Tomcat-related,
is about a third-party product.

> I, for example, can do one for rapid web application development
> with Lucee, which allows a much faster development than JSP or JSF
> for example.  I'm not sure if the Tomcat channel is the best for
> that (though we do use Tomcat as the servlet container).

You can always make a proposal. The worst case would be "we" decide
that it's too much of an advertisement for a company/product/service
and that you are welcome to promote your own webinar, but we won't do
it for you.

> For Tomcat- expert advice I usually refer to you or to Mark ;)

Don't confuse my verbosity with deep knowledge. I am one of the least
knowledgeable of the (active) Tomcat committers, at least in terms of
the underlying technology. But I know how to configure it, and I'm
fairly good at explaining things, and I type quickly. :)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZhOmvAAoJEBzwKT+lPKRYZF8QAIDy4p/9iKttoRQ5stBSFfow
b3zKrJOCoFET8Ums6F6Vm6wHtunCfT52UHwZSGX1oKn5AL3xO+tPxQuMGCMLJeuM
fzwaRfdg47bodJCJUiLdHs/VQ7ulfYOq/cTuJjAkXjl6Ljls/7kP69KVrILLMN1O
5oyM4FuVcy1lpUz43DLB8hmzr+jArThjDygq1veHOgNcTI0Xi/es68c/6/9MwZy/
FmDFU2MH1mokwzXw8wufkATRpczmbtkXxPKD+E1V4ESwoH2M8hxNnJH3W5bbx3MK
zvKLpk0KA1TJPmLdOglKoqYUrmhf7ywQtY6uFCXyebuweiVUJrBF80o0c/DdP0hY
uU8ZA5dYsNQnha6pWB3XeWb/iMLqj1e/v0dL3suhSD8CctcjWEijw7xxYQJ+5E6h
X5jVBIs/2rOHG642xXkoeV82ffCZ8OK1u3LzmQKjoK9Nz3GFO70D2zgLYd3b8JeB
OCFO1t626gdjCCSBPWxI243jgiLUGQH1szzgKxkXJ0Ec5JUwQfVxFQfUptJoexz9
xtGSox0sYeDD3J8VSPxqLo1XdP5SM7hEMUbHsto+cShrmhVPTw/sXK2B5cZoQgbv
oD/FN1uMj+8ny5WmjiPesmrYobPTAndrhloPJmBHNbNbqFcbpqb2WJVgx4xLnUKa
vzagcWXOfs3fiM+yZ8Zb
=Dimd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: This is weird: can't bind to 443

Igal @ Lucee.org
Chris,

On 8/4/2017 2:39 PM, Christopher Schultz wrote:

> Yes, they are available on YouTube. For some reason, nobody has
> bothered to link them to the ASF's YouTube channel... they are a
> "playlist" for ApacheCon 2017 - Miami:
> https://www.youtube.com/playlist?list=PLbzoR-pLrL6pLDCyPxByWQwYTL-JrF5Rp
>
> All of the Tomcat-related ones are already linked from the "TomcatCon
> 2017" section of our Presentations page:
> http://tomcat.apache.org/presentations.html
>
> The ApacheCon YouTube playlist has a bunch of non-Tomcat-related
> videos as well, of course.
>
> <snip/>

Well noted on all points.

Thank you for the information and the links!

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>


<http://lucee.org/>

12
Loading...