I am running a web application on Tomcat (port 8080) with Apache (port 80) in front (on Ubuntu) using mod-proxy_http as the connector. The app is available through port 80 but also through port 8080. This is actually quite useful (when deploying/testing).
Are there are any particular disadvantages/vulnerabilities with keeping port 8080 open in this way?
My opinion is that you should close 8080 port, or at least allow it for certain host/IP. Less open ports, less problems. Opening port 8080 could let attacker to have more entry points (80 and 8080, using different technologies) and exploit different techniques. Also HTTPd server has much better security modules.
Have you consider using mod_ajp_proxy?
Hope this helps.
Related
So I'm trying to connect two clients in a Java application, but in a way that one client acts as a server and other client acts as a ... client. I managed to connect them locally which works perfect, but I've been researching whether I can connect a client to a server that are not on a same network (via IPv4 or IPv6). I have read that I should do port forwarding on my router server-side. I know how to port forward, but shouldn't it be possible to do without port forwarding? If I understand correctly, only server-side should be port forwarded and the server can respond to the client without the need for the client to port forward their router? So if I'm correct, another solution would be a 'global' third party server(that is port forwarded) that would connect two clients by receiving and passing information from one client to another?
I'm just learning here, so I'm sorry if this has already been answered here but I haven't found answers to all of this in one place and I'm trying to come to a conclusion.
Yes, you can access a computer from outside the network and connect to a server
You must download the (ngrok) tool on the device that contains the server and run the tool
The client will contact the server without the need to forward the ports
ngrok
Explain the use of the tool on the site with a download link
shouldn't it be possible to do without port forwarding
Yes, you can make a connection between two machines without port-forwarding.
Example: Web servers
Take for example, web servers. By default a web server sits there listening on port 80, with 80 being the port assigned by convention for HTTP.
The web client (browser or such) sends a request by trying to connect on port 80. If there are no obstacles in the way, then the connection proceeds.
Restricted port access
However, there may be an obstacle.
One common obstacle: Unix-oriented operating systems (BSD, macOS, Solaris, Linux, AIX, etc.) by convention restrict access to ports numbered under 1,024 for security reasons. The operating system blocks any incoming connections on port 80. With that security blockage in place, the web request never reaches the server.
Port-forwarding with a packet-filter tool
One way to get past this restriction is to have the web server listen on an unrestricted port, a port numbered above 1,024, up to the 64K limit, such as 8080. Then configure the packet filter tool on the server machine’s OS to do port-forwarding. The incoming request for port 80 is altered to go to port 8080 instead.
A connection is then established between the web server and the web client.
The client thinks it is talking to the server on port 80.
The server thinks the client asked for port 8080.
With the packet filter tool in the middle altering packets on-the-fly, both server and client is none the wiser about packets being altered.
You may want to configure your firewall to allow HTTP connections from outside the machine only on 80, including blocking any external requests for 8080. In this case, only packets altered from 80 to 8080 will reach your web server. Common practice is to close as many ports as possible on a server.
FYI: For encrypted HTTP (HTTPS), the conventional port is 443 rather than 80.
Not a programming issue
Notice that there is no programming issue here. As the programmer, your client software should attempt to connect on the port number as documented for the server in which you are interested. On the server-side machine, or server-side router, port-forwarding will be configured as needed. Your client programming does not care about, or even know about, any port-forwarding that may or may not be in place. Port-forwarding is a network-admin issue, and should be transparent to the programmer.
See sister sites for networking issues
As a network-admin issue, look to the sister sites such as Server Fault and Network Engineering rather than Stack Overflow.
I'm trying to set up three services to run on the same port (port 80). Two of the services are hosted on IIS thus enabling bindings to use the same port. One of the three services is however hosted on a Tomcat server as it is a Java Servlet. How can i set this up so that all can be accessed through port 80?
I've tried using URL Rewrite in the IIS to forward the request to port 8080 where the Tomcat service is active but it doesn't work with other services being active on port 80.
Any other ideas?
EDIT
I have no support for URL Rewrite not working for this purpose other than my own attempts. If anyone have used it and knows it should work, please shout out as it would be an optimal solution with minimal complexity to the system!
I think my issue may be not knowing exactly what to look for (or the terminology), so hopefully this will serve to also help future people with similar questions.
I have a webapp running on Jetty, deployed using a .war in the webapps dir, lets say it is:
mydomain.com/foo
So the .war file is named "foo.war".
I also have some server which listens on another port, say port 9000. I would like to make this accessible through port 80, but Jetty is using that port. It is a HTTP server, but the port it listens on is 9000 (And I cannot change this).
Is it possible to have mydomain.com/baz relay data to and from localhost:9000 and then back to the client on port 80?
Of course, this needs to be done through port 80 as to the outside world port 80 is the only one available, and jetty is already listening on port 80.
I suppose this would look like:
Client -> mydomain.com:80/baz -> mydomain.com:9000 -> mydomain.com:80/baz -> Client
Almost like an "iframe", only of course an iFrame would require the client to request mydomain.com:9000 which isn't open to the outside world.
You might find it straightforward to set up an Apache httpd which uses http proxying to provide a single set of URLs on port 80 to "clients", but which actually makes http requests to back end servers on non-standard ports behind the scenes.
Nginx can probably do this too.
Start here - http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
I am trying to communicate between an applet and a servlet. I first tried Http connection. But I am not getting the desired result. Hence decided to switch to socket communication. Hence I wanted to know which port to use for the same. I remember reading somewhere that port 80 is ideal. Is it port 80 or port 8080? I need a port that is not blocked by firewall(default).
By default, an Applet can only connect to the same host as the applet was served from. You can't set up TCP connections arbitrary hosts. (see e.g. here for info on how to sign an applet, signed applets does not have this restriction)
Using port 80 likely will not work either, as your web server probably works on port 80. Port 80 is really the only port that you usually can count not being blocked, if your servlet container is running on port 8080 , port 80 might be free for you to use though.
imo, try rather to communicate with http so you can talk to a servlet - and work out whatever desired results you had trouble with.
Just wonder if i can deploy my java ee application in any application server for eg: glassfish, and user are able to access without typing the port number, for eg:http://abc.com
(my current application url will be http://abc.com:8080)
as from my knowledge, i might need another web server like for eg:Apache to redirect request to application server using mod_proxy module in order for me to achieve that, right?
kindly advise...
Setting up Apache to proxy requests from port 80 to your app/web server running on port 8080 is one way to eliminate the need for port numbers in your URLs. But it's certainly not the only way. You should be able to configure any J2EE application server or web server to run on port 80 instead of 8080 (a common default in J2EE app/web servers). The details of the configuration editing are app/web server specific. You may need root privileges on your system to bind to port 80.
You need to tell it to bind to port 80 instead of 8080, which is usually well documented how to since this is a common operation.
Note: Under Unix systems you need to be root to bind to port 80 - here an Apache frontend might be useful.