Change port tomcat 8888 to 80

Hello everyone,

I am doing the first configuration on a linux server in aws, so far I have only worked with windows servers.

After some research I was able to install the lucee on the server succeeding in accessing the admin through port 8888.

But as I intend to have multiple sites on this server, the first step I found I will change port 8888 through port 80;

According to my research, to make this change I should change the file:
/opt/lucee/tomcat/conf/server.xml

Changed the port as shown below:

But when I perform the restart of the lucee, it does not go up, analyzing the logs contained in the file:

/opt/lucee/tomcat/logs/catalina.2018-07-23.log.
you may see a Permission error denied.

23-Jul-2018 15:47:00.959 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:        Apache Tomcat/8.5.31
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Apr 27 2018 20:24:25 UTC
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number:         8.5.31.0
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.14.51-60.38.amzn1.x86_64
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/lucee/jdk/jre/jre
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           1.8.0_172-b11
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /opt/lucee/tomcat
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /opt/lucee/tomcat
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/opt/lucee/tomcat/conf/logging.properties
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms256m
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx512m
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/opt/lucee/tomcat/endorsed
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/opt/lucee/tomcat
23-Jul-2018 15:47:00.968 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/opt/lucee/tomcat
23-Jul-2018 15:47:00.968 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/opt/lucee/tomcat/temp
23-Jul-2018 15:47:00.969 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
23-Jul-2018 15:47:01.233 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-80"]
23-Jul-2018 15:47:01.255 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-80]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-80]]
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	... 12 more
Caused by: java.net.SocketException: Permission denied
	at sun.nio.ch.Net.bind0(Native Method)
	at sun.nio.ch.Net.bind(Net.java:433)
	at sun.nio.ch.Net.bind(Net.java:425)
	at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
	at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:210)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
	... 13 more

23-Jul-2018 15:47:01.260 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-8009"]
23-Jul-2018 15:47:01.265 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
23-Jul-2018 15:47:01.277 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1006 ms
23-Jul-2018 15:47:01.304 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
23-Jul-2018 15:47:01.304 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.31
23-Jul-2018 15:47:01.343 INFO [127.0.0.1-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/lucee/tomcat/webapps/ROOT]
23-Jul-2018 15:47:02.150 INFO [127.0.0.1-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
23-Jul-2018 15:47:04.903 INFO [127.0.0.1-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/lucee/tomcat/webapps/ROOT] has finished in [3,553] ms
23-Jul-2018 15:47:04.905 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
23-Jul-2018 15:47:04.931 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 3652 ms

But when I go back to port 8888 the lucee service starts without a problem.

Can you give me a clue about what might be happening?

I thank you for your help
Bidu

On Linux, only root can bind to ports below 1024. That would appear to be the source of your permission denied error. Are you starting your Lucee service as root?

You are using the “lucee” user created at the time of installing Lucee.

I’m not sure if the “top -u user” command is best suited to view the processes but running as the user lucee I have the output:


Starting from this premise you mentioned what would be the alternative?

thankful

Sorry, I’m unclear. Are you using root to start the Lucee service? It’s been a while since I’ve looked at the init.d scripts, but they used to start the service as root, bind to the ports, then downgrade the user of the process.

From a security perspective you don’t really want to run tomcat as root - what most do is put something in front of tomcat such as apache, nginx or some sort of load balancer. Apache and nginx have the ability to bind the port as root, but then run worker processes as a low privilege user - I don’t think tomcat has that ability.

The lucee installer can connect apache and tomcat together for you, I’d start there.

1 Like

you are clear, is that my inexperience with linux I’m not sure if you get the correct command to verify which user is starting the service

Of course I do not want to start the server leaving it unsafe :slight_smile: thanks for the tip.

At the time of installing Lucee I was asked this question:


This means that at the end of the installation I am with the services
Lucee
Tom Cat
Apache
installed?

I believed that the reference in the Apache installation was the full name of tomcat (Apache Tomcat) is a third service?

Thanks for the help

Wait, you have Apache web server installed already? it’s entirely likely that it’s already listening on port 80 which is why Lucee can’t bind to that port. Take a look at netstat -pan to find out if port 80 is taken already.

Good Morning,

See below the result of the “netstat -pan” command.


To try to help, see what I’ve done on the server so far:

1 - I created an instance in aws, with amazon linux
2 - I ran the lucee installation wizard from http://cdn.lucee.org/lucee-5.2.7.063-pl0-linux-x64-installer.run
3 - I released the doors to access the Lucee.

4 - this is where I am, trying to set up the sites on lucee on port 80.

In some articles I have seen the iptables command to do port 80 redirection to port 8888 can this be a good alternative?

-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination :8888

Another question I am putting together a tutorial with the difficulties I am encountering is there any more suitable area to post this tutorial at the end of the process?

Tks

You could use iptables, yes. You must run those commands as root, and do a distro-specific thing to make them persist across reboots. Sometimes /etc/sysconfig/iptables, other times it’s part of the init.d process.

I think you probably want REDIRECT, not DNAT though.

Or here

The other option is to use something like authbind - to permit tomcat to use port 80 in a surgical manner… but you’re probably better off with iptables if you’re not Linux savvy.

Or, put apache in front of it - which may have other benefits like serving static content, rewrite rules, auto-redirect to ssl, etc. (There are many rants online about whether or not to put a classic HTTP server in front of tomcat or not)

1 Like

Thank you Joe,

As my experience in linux is few, I go by the simplest way:

With the commands:

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888
sudo /sbin/service iptables save

sudo /sbin/iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo /sbin/service iptables save

I was able to change the port, now I’m going back to the tests to configure more than one site / application in the same serividor.

Thank you for your help

I would recommend putting either NGINX or Apache (httpd) in front of Tomcat.

Here are the Lucee instructions for Apache http://docs.lucee.org/guides/installing-lucee/lucee-server-adminstration-linux/adding-new-site.html#connecting-apache-hosts-to-tomcatlucee I would go with an AJP connector if you go this route.

I have found it is much easier to do basic/advanced configurations with Apache and NGINX such as URL rewrites, setting headers, caching, SSL termination, etc.

Good morning Yamaha,

In my windows servers we are doing a job of taking IIS leaving only tomcat and lucee, to improve the performance of our applications.

In linux is there any particularity that needs to put another layer of services in front of tomcat?
What would be the advantage of having NGINX or Apache (httpd) in front tomcat?

tks

As mentioned in my previous response it makes it much easier in my opinion to set up things such as SSL certificates, setting custom headers, URL rewriting, and caching. There are probably more I am missing.

Depending on your application simply moving from Windows servers to Linux server won’t necessarily improve performance. Performance is affected by many things like the database, disk speed, memory and the way the code is written. I would personally start to look in those areas for performance improvements before taking the plunge and swapping everything over to a new operating system. Simply adding caching or serving static content from a CDN can greatly improve the performance of a website.

The change is not motivated by performance, but by cost.

I just mentioned that one of the improvements in windows was to remove IIS as an intermediary
:wink:

In general I’d say this is fueled by several things.

  1. Getting SSL right in Tomcat involves getting the APR library, TomcatNative library and tomcat itself talking to each other properly. You can have a working tomcat, but not have the native library for SSL, in which case, there is a performance hit. You can deal with this in other ways - by putting apache or nginx in front for instance, or if you’re using AWS, something like ELB. (Which doesn’t so much solve the SSL config problem as move it elsewhere, and leave an unencrypted channel between the ELB and instance, which should be on your “private” network, if such a thing exists in the cloud, but I digress)

  2. There’s a much greater familiarity in implementation, syntax, and documentation supporting the config and setup of apache - vs Tomcat. That’s hard to quantify. But I’d say it’s way easier to do rewrite rules, site redirects, IP based access rules, things like htaccess protection, and all the sorts of things you’d expect from a web “site” or “application”. Tomcat can do similar things, but in different (and sometimes counter-intuitive) ways - usually involving things like XML files, Valves, Regular expressions, etc… It’s not nearly as user friendly.

If you put a layer in front of Tomcat - let’s just set SSL and performance aside for now, (though it is easier to use SSL, with things like stapling and features Tomcat doesn’t even have). You gain things like

  1. Ability to serve static assets directly from NGINX/Apache2 without hitting tomcat at all.
  2. Ability to rewrite or manipulate the request before/after Tomcat. For instance, I tend to use cookie rewrites to scope my JSESSIONID cookie to path=/myapp on the server instead of / - this lets me split my site among several backends without conflicting on the cookies.
  3. Ability to block or otherwise filter certain things before they hit tomcat - i.e. the Server and/or Web admin urls.
    What’s easier to do in Adobe CF for instance - dig into the web.xml and remove the Flex2 connectors, RDS and flash Remoting features - or just set a rule in Apache/NGINX to block them? (Answer, block them)
  4. Ability to do things like inject Expire headers so the browser caches (certain) content, cache certain responses from Tomcat, etc.

You get a lot of useful things, which you may or may not need.

If you look at Pete Freitag’s awesome lockdown guide - pretty much everything he does in Apache2 is added functionality that never hits the tomcat server.

Blocking URIs, setting up digest authentication, IP blocking, RedirectMatches that return 404 for things you don’t want people poking around in, etc.

Many of those servlets/urls don’t even exist in Lucee but the theory and such still apply.

Lucee’s guide indicates similar Apache config recommendations. So if you’re locking down your server - which you SHOULD do, as a responsible developer/impromptu sysadmin/responsible net-citizen… All the docs indicate putting Apache in front, and you’ll have better guidance/documentation.

-G

2 Likes

This is a great and detailed answer.:+1:

Wow, thanks for the reply :slight_smile:

I’m going to look for some tutorial on setting up a server from scratch with lucee and apache up front.

Thanks for the help of all I will look for some tutorials and redo the server now with lucee and apache;)

Tks