venerdì 23 settembre 2016

Two path to run http server as non-root user

When you install and configure your HTTP server on linux and you need to run it with a non-root user,
you can't bind your service on port 80 or 443, because non-root user can't use port lower then 1024.

in this case if you have ipTables active in your server you can redirect your http/s traffic to another ports, in my case i choose ports 1080 and 1443.

you can configure a specific NAT rule to redirect it like:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 1080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 1043

if you need use localhost you must add following rules

iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 1080
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 1443


to check your configuration

iptables -t nat --line-numbers -n -L

Chain PREROUTING (policy ACCEPT)                                                   
num  target     prot opt source     destination                                    
1    REDIRECT   tcp  --  0.0.0.0/0  0.0.0.0/0          tcp dpt:80 redir ports 1080 2 
 REDIRECT   tcp  --  0.0.0.0/0  0.0.0.0/0          tcp dpt:443 redir ports 1443


In other case if you have not iptables, you can add your user as "sudoers" in your linux machine.

1. 'Touch' the log files:
   touch /opt/IBM/HTTPServer/logs/access_log
   touch /opt/IBM/HTTPServer/logs/error_log
2. Make the following changes in httpd.conf (ensure user 'was run' and group 'was runners' has been created already)
         User wasrun
         Group wasrunners

3. Change ownership of IHS files:
   chown -R wasadmin:wasadmin /opt/IBM/HTTPServer

4. Edit sudoers file (visudo), add the following line:

%wasrunners ALL = (root) NOPASSWD: /opt/IBM/HTTPServer/bin/apachectl *

This means any user in the 'wasrunners' group (prefixed with %) can control (start/stop) the IHS instance as root 
without needing to enter password. If you only want to allow the user 'wasadmin' to perform this, then remove the '%'
 to denote a user.



Nessun commento:

Posta un commento