On Linux, non-root users are not able to bind to ports below 1024. For security reasons, running a web server or application server software as a root user is not recommended.
Solution
1. Using iptables
iptables can be used to redirect connections from ports 443 to 8443 and 80 to 8080. The following steps can be used to perform this redirection.
- Create a shell script that will add a rule to update the iptable to redirect the traffic on system startup and remove the redirection rule on system shutdown.
- Create a service script that will execute the above script on system startup and shutdown.
Create a shell script in /usr/bin and name as redirect-webports
#!/bin/sh
# All rights reserved.
#
#! /bin/sh
#! /etc/init.d/webport_8443_8080_redirect
# ### BEGIN INIT INFO
# Provides: webport_8443_8080_redirect
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 443 to 8443 and 80 to 8080
### END INIT INFO #
# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
INTF=eth0
# Change the following line as per your Linux Server IP
ADDR=172.31.33.204
. /etc/rc.status
# First reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting IP Port redirection"
$IPT_BIN -t nat --flush
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 80 -j DNAT --to ${ADDR}:8080
rc_status -v
;;
stop)
echo -n "Flushing all IP Port redirection rules"
$IPT_BIN -t nat --flush
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
Make redirect-webports script executable
chmod +x redirect-webports
Create a new service unit script in /etc/systemd/system as redirect-webports.service
[Unit]
Description=Webport-Redirection
After=local-fs.target network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/redirect-webports start
ExecStop=/usr/bin/redirect-webports stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Execute the following command to start the redirection script at startup
chmod +x redirect-webports.service
systemctl enable redirect-webports.service
systemctl start redirect-webports.service
Validate the scripts
iptables -t nat -nvL
2. Using Proxy Server
A proxy server such as apache httpd or nginx running as root can bind to port 80 or 443 and proxy all the traffic for application server redirection.
No comments:
Post a Comment