一、問題
網站綁定域名后直接通過域名訪問使用的是80端口,因此tomcat須監聽80端口,而為了安全起見tomcat一般不用root身份運行,綜上,需要以普通用戶來運行監聽80端口的tomcat。此時就會啟動失敗,報沒有權限,因為只有root身份才能監聽1024以下的熟知端口。
二、解決
(以下未經驗證)
There are a few different solutions to work around this:
- Install and configure Apache or nginx as a reverse proxy server, which can be started as root to open the port, and then downgrade its privileges back to a normal user.
- Set up a firewall on the server using
iptablesor an alternative, so that the lower port number is forwarded internally to a higher port number listened by Confluence.- Use jsvc, which is able to open ports as root, and then downgrade privileges.
- Use authbind to grant privileges for a non-root user to open a privileged port.
1、通過iptables進行端口轉發
- tomcat監聽8080(其他非熟知端口皆可)端口,直接執行 sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 將對80端口的請求轉發到8080端口。
- iptables規則設置后都是即時生效的,但在機器重啟后iptables中的配置信息會被清空。因此可以將這些配置保存下來,讓iptables在interface啟動時自動被加載:
(1)保存防火牆規則: sudo iptables-save > /etc/zsmiptables.rules
(2)編輯/etc/network/interfaces,在末尾加一行:pre-up iptables-restore < /etc/zsmiptables.rules
參考資料:
(前者言將iptables-restore < /etc/zsmiptables.rules放到一腳本里置於/etc/network/if-pre-up.d/下,但一直不成功;改用后者所言將iptables-restore < /etc/zsmiptables.rules加到/etc/network/interfaces末尾成功了)
2、通過isvc
jsvc能以root角色使用端口,因此借助之即可。另外,這種方式也把tomcat做成了服務,能夠開機自己啟動。