我有一个工作的spring boot + tomcat8嵌入式应用程序,它绑定到端口8080(http)和8888(https)。现在我正在寻找一种方法来配置运行
的应用程序a)在特权端口上,即低于1024的端口,即端口80和443
b)应用程序应在非root用户帐户下运行。
c)OS环境可以是任何Linux发行版,例如:debian / ubuntu或OpenBSD发行版。d)最好通过网络界面(即某些脚本)稍后配置解决方案。
到目前为止,我在INTERNET上找到的只是一本手册,用于配置非嵌入式tomcat实例和“authbind”。但是我有一个嵌入式tomcat。 “authbind”的手册页说:
“您必须使用authbind调用该程序。 authbind将设置 一些环境变量,包括允许的LD_PRELOAD 要绑定的程序(包括它可能运行的任何子进程) 如果系统配置为允许这种情况,则编号为低(<512)的端口。 “
我发出了“ps - aux”,我得到了运行应用程序的用户名。 我已经将嵌入式tomcat配置为在端口80和443上运行端口,即在cli中发出命令:
sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
chown tito /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 500 /etc/authbind/byport/443
chown tito /etc/authbind/byport/443
现在如何在“authbind”下调用嵌入式tomcat。如果“authbind”不是解决此问题的正确方法,那么如何使用spring boot解决此问题。
我收到的错误消息是:
2014-05-09 09:46:48.403 INFO 7880 --- [ main] .t.TomcatEmbeddedServletContainerFactory : Server initialized with port: 80
2014-05-09 09:46:48.604 ERROR 7880 --- [ main] o.a.coyote.http11.Http11NioProtocol : Failed to initialize end point associated with ProtocolHandler ["http-nio-80"]
java.net.SocketException: Permission denied
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:414)
at sun.nio.ch.Net.bind(Net.java:406)
at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:214)
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:351)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:683)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:456)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:826)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:340)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.initialize(TomcatEmbeddedServletContainer.java:79)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.<init>(TomcatEmbeddedServletContainer.java:69)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory.getTomcatEmbeddedServletContainer(TomcatEmbeddedServletContainerFactory.java:270)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory.getEmbeddedServletContainer(TomcatEmbeddedServletContainerFactory.java:145)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.createEmbeddedServletContainer(EmbeddedWebApplicationContext.java:159)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.onRefresh(EmbeddedWebApplicationContext.java:132)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:476)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:120)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:648)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:311)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:909)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:898)
at org.syncServer.core.Application.main(Application.java:123)
2014-05-09 09:46:48.606 ERROR 7880 --- [ main] o.apache.catalina.core.StandardService : Failed to initialize connector [Connector[HTTP/1.1-80]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-80]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:826)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:340)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.initialize(TomcatEmbeddedServletContainer.java:79)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.<init>(TomcatEmbeddedServletContainer.java:69)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory.getTomcatEmbeddedServletContainer(TomcatEmbeddedServletContainerFactory.java:270)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory.getEmbeddedServletContainer(TomcatEmbeddedServletContainerFactory.java:145)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.createEmbeddedServletContainer(EmbeddedWebApplicationContext.java:159)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.onRefresh(EmbeddedWebApplicationContext.java:132)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:476)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:120)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:648)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:311)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:909)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:898)
at org.syncServer.core.Application.main(Application.java:123)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:962)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 19 common frames omitted
Caused by: java.net.SocketException: Permission denied
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:414)
at sun.nio.ch.Net.bind(Net.java:406)
at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:214)
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:351)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:683)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:456)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
... 20 common frames omitted
2014-05-09 09:46:48.840 INFO 7880 --- [ main] o.apache.catalina.core.StandardService : Starting service Tomcat
2014-05-09 09:46:48.841 INFO 7880 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet Engine: Apache Tomcat/8.0.3
2014-05-09 09:46:48.913 INFO 7880 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2014-05-09 09:46:48.913 INFO 7880 --- [ost-startStop-1] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 1898 ms
SERVLET REGISTRATION
DISPATCHER INIT
补充1 我找到了一种方法,如何从命令行,即从春天我做maven构建,目标设置为&#34;包&#34;然后我去我的jar / war文件所在的目标文件夹然后我做
exec authbind --deep java -jar application.jar
应用程序绑定到端口80和443但不知何故我的mvc百万美元模板搞砸了。我需要通过spring sts
自动化这个过程答案 0 :(得分:2)
在您尝试在端口80/443上公开Spring Boot应用程序的行之间进行读取,但您并不需要让它自己监听其中一个端口。相反,您应该使用反向代理,例如HAProxy,它将以root用户身份启动,但随后在chroot中自行jail,以便它没有root权限。
然后,您可以将代理配置为将请求转发到应用程序正在侦听的任何端口。
除了安全性之外,这还有其他优势,例如能够基于用于多个服务的URL转发。这对于Spring Boot微服务来说非常棒,因为它允许您在同一服务器上的端口80/443上公开多个服务,而不会给这些应用程序任何root权限。它还可用于在应用程序实例之间提供热切换,这可以帮助您实现零停机时间部署。
HAProxy的热门替代品是Apache HTTPD和Nginx。
答案 1 :(得分:0)
您想要的所有员工都在Apache Daemon Tools中实施。
它为java应用程序提供了chroot。因此,您可以以root身份启动它并绑定到特权端口,然后将其降级为非特权用户。