How to run Tomcat on port 80 in Linux


By default Tomcat’s HTTP connector listens on port 8080. Changing to port 80 in Linux environment is a tricky issue, since by default listening on any port under 1024 require a privileged user, and for security considerations it is not recommended to run Tomcat with elevated permissions. We can use authbind to achieve this.

In the end of the article, all the commands are summarized to facilitate one-step configuration.

Installing Tomcat

We’ll need the tomcat6 package to run Tomcat’s core components, as well as the tomcat6-admin-webapps .We’ll compile the authbind application from its sources, so we’ll also need gcc.

[root@websrv~]# yum -y install tomcat6 tomcat6-admin-webapps gcc

 [root@websrv~]# chkconfig tomcat6 on

Listening on ports<1024 in Linux with an unprivileged user

There are 3 methods to achieve this:

–   By using authbind which authorizes specific users to specific ports under 1024

–   By using Jsvc, a set of libraries and applications for making Java applications run on UNIX more    easily (Jsvc allows Tomcat application to perform some privileged operations as root (e.g. bind to a port <1024), and then switch identity to a non-privileged user.)

–    By configuring iptables to re-route the packets from port 80 to 8080

We will use the authbind approach. But first, let’s tell Tomcat to listen on port 80 instead of 8080.

Changing Tomcat’s default HTTP port

The default HTTP port is defined in /etc/tomcat6/server.xml. We need to change this default port to 80 in server.xml. To replace the occurrences of port=”8080” to port=”80”, execute the following command:

[root@websrv~]# sed -i ‘s/port\=\”8080\”/port\=\”80\”/’ /etc/tomcat6/server.xml

The same for port 8443, which will be replaced with port 443:

 [root@websrv~]# sed -i ‘s/port\=\”8443\”/port\=\”443\”/’ /etc/tomcat6/server.xml

 We’ll start Tomcat with authbind. This can be achieved by changing Tomcat’s init-script in /etc/init.d, replacing the line

TOMCAT_SCRIPT=”/usr/sbin/tomcat6″

with

TOMCAT_SCRIPT=”exec authbind –deep /usr/sbin/tomcat6″

it can be done like this:

[root@websrv~]# sed -i  ‘s/TOMCAT_SCRIPT=\”\/usr\/sbin\/tomcat6\”/TOMCAT_SCRIPT=\”exec

authbind  –deep \/usr\/sbin\/tomcat6\”/’ /etc/init.d/tomcat6

We have to tell Tomcat to use the IPv4 stack by default. This can be done by appending the line CATALINA_OPTS=”-Djava.net.preferIPv4Stack=true” to /etc/tomcat6/tomcat6.conf:

[root@websrv~]# sed -i ‘$ a\CATALINA_OPTS=\”-Djava\.net\.preferIPv4Stack=true\”\n’

/etc/tomcat6/tomcat6.conf

Installing and configuring authbind

Authbind is installed the usual way, with the help of gcc and make.

[root@websrv~]# wget http://ftp.debian.org/debian/pool/main/a/authbind/authbind_1.2.0.tar.gz

[root@websrv~]# tar -zxvf authbind_1.2.0.tar.gz

[root@websrv~]# cd authbind-1.2.0/

[root@websrv~]# make

[root@websrv~]# make install

Authbind is configured with some special files, for which we can assign our arbitrary permissions for the users we want to give access to. Since Tomcat is running with the Tomcat user, we’ll tell authbind to allow connections to the HTTP port 80 and the HTTPS port 443 for this account:

[root@websrv~]# touch  /etc/authbind/byport/80

[root@websrv~]# chmod 500 /etc/authbind/byport/80

[root@websrv~]# chown tomcat /etc/authbind/byport/80

[root@websrv~]# touch  /etc/authbind/byport/443

[root@websrv~]# chmod 500 /etc/authbind/byport/443

[root@websrv~]# chown tomcat /etc/authbind/byport/443

For the changes to take effect, Tomcat has to be restarted:

[root@websrv~]# /etc/init.d/tomcat6 restart

To see if there is any error, the tomcat log can be consulted:

[root@websrv~]# less -S /var/log/tomcat6/catalina.out

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in Linux/CentOS. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s