But when I perform the restart of the lucee, it does not go up, analyzing the logs contained in the file:
/opt/lucee/tomcat/logs/catalina.2018-07-23.log.
you may see a Permission error denied.
23-Jul-2018 15:47:00.959 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/8.5.31
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Apr 27 2018 20:24:25 UTC
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.5.31.0
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 4.14.51-60.38.amzn1.x86_64
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /opt/lucee/jdk/jre/jre
23-Jul-2018 15:47:00.965 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_172-b11
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /opt/lucee/tomcat
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /opt/lucee/tomcat
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/opt/lucee/tomcat/conf/logging.properties
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms256m
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx512m
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/opt/lucee/tomcat/endorsed
23-Jul-2018 15:47:00.966 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/opt/lucee/tomcat
23-Jul-2018 15:47:00.968 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/opt/lucee/tomcat
23-Jul-2018 15:47:00.968 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/opt/lucee/tomcat/temp
23-Jul-2018 15:47:00.969 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
23-Jul-2018 15:47:01.233 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-80"]
23-Jul-2018 15:47:01.255 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-80]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-80]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.net.SocketException: Permission denied
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:433)
at sun.nio.ch.Net.bind(Net.java:425)
at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:210)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
23-Jul-2018 15:47:01.260 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-8009"]
23-Jul-2018 15:47:01.265 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
23-Jul-2018 15:47:01.277 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1006 ms
23-Jul-2018 15:47:01.304 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
23-Jul-2018 15:47:01.304 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.31
23-Jul-2018 15:47:01.343 INFO [127.0.0.1-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/lucee/tomcat/webapps/ROOT]
23-Jul-2018 15:47:02.150 INFO [127.0.0.1-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
23-Jul-2018 15:47:04.903 INFO [127.0.0.1-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/lucee/tomcat/webapps/ROOT] has finished in [3,553] ms
23-Jul-2018 15:47:04.905 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
23-Jul-2018 15:47:04.931 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 3652 ms
But when I go back to port 8888 the lucee service starts without a problem.
Can you give me a clue about what might be happening?
On Linux, only root can bind to ports below 1024. That would appear to be the source of your permission denied error. Are you starting your Lucee service as root?
Sorry, I’m unclear. Are you using root to start the Lucee service? It’s been a while since I’ve looked at the init.d scripts, but they used to start the service as root, bind to the ports, then downgrade the user of the process.
From a security perspective you don’t really want to run tomcat as root - what most do is put something in front of tomcat such as apache, nginx or some sort of load balancer. Apache and nginx have the ability to bind the port as root, but then run worker processes as a low privilege user - I don’t think tomcat has that ability.
The lucee installer can connect apache and tomcat together for you, I’d start there.
Wait, you have Apache web server installed already? it’s entirely likely that it’s already listening on port 80 which is why Lucee can’t bind to that port. Take a look at netstat -pan to find out if port 80 is taken already.
Another question I am putting together a tutorial with the difficulties I am encountering is there any more suitable area to post this tutorial at the end of the process?
You could use iptables, yes. You must run those commands as root, and do a distro-specific thing to make them persist across reboots. Sometimes /etc/sysconfig/iptables, other times it’s part of the init.d process.
I think you probably want REDIRECT, not DNAT though.
Or here
The other option is to use something like authbind - to permit tomcat to use port 80 in a surgical manner… but you’re probably better off with iptables if you’re not Linux savvy.
Or, put apache in front of it - which may have other benefits like serving static content, rewrite rules, auto-redirect to ssl, etc. (There are many rants online about whether or not to put a classic HTTP server in front of tomcat or not)
I have found it is much easier to do basic/advanced configurations with Apache and NGINX such as URL rewrites, setting headers, caching, SSL termination, etc.
In my windows servers we are doing a job of taking IIS leaving only tomcat and lucee, to improve the performance of our applications.
In linux is there any particularity that needs to put another layer of services in front of tomcat?
What would be the advantage of having NGINX or Apache (httpd) in front tomcat?
As mentioned in my previous response it makes it much easier in my opinion to set up things such as SSL certificates, setting custom headers, URL rewriting, and caching. There are probably more I am missing.
Depending on your application simply moving from Windows servers to Linux server won’t necessarily improve performance. Performance is affected by many things like the database, disk speed, memory and the way the code is written. I would personally start to look in those areas for performance improvements before taking the plunge and swapping everything over to a new operating system. Simply adding caching or serving static content from a CDN can greatly improve the performance of a website.
In general I’d say this is fueled by several things.
Getting SSL right in Tomcat involves getting the APR library, TomcatNative library and tomcat itself talking to each other properly. You can have a working tomcat, but not have the native library for SSL, in which case, there is a performance hit. You can deal with this in other ways - by putting apache or nginx in front for instance, or if you’re using AWS, something like ELB. (Which doesn’t so much solve the SSL config problem as move it elsewhere, and leave an unencrypted channel between the ELB and instance, which should be on your “private” network, if such a thing exists in the cloud, but I digress)
There’s a much greater familiarity in implementation, syntax, and documentation supporting the config and setup of apache - vs Tomcat. That’s hard to quantify. But I’d say it’s way easier to do rewrite rules, site redirects, IP based access rules, things like htaccess protection, and all the sorts of things you’d expect from a web “site” or “application”. Tomcat can do similar things, but in different (and sometimes counter-intuitive) ways - usually involving things like XML files, Valves, Regular expressions, etc… It’s not nearly as user friendly.
If you put a layer in front of Tomcat - let’s just set SSL and performance aside for now, (though it is easier to use SSL, with things like stapling and features Tomcat doesn’t even have). You gain things like
Ability to serve static assets directly from NGINX/Apache2 without hitting tomcat at all.
Ability to rewrite or manipulate the request before/after Tomcat. For instance, I tend to use cookie rewrites to scope my JSESSIONID cookie to path=/myapp on the server instead of / - this lets me split my site among several backends without conflicting on the cookies.
Ability to block or otherwise filter certain things before they hit tomcat - i.e. the Server and/or Web admin urls.
What’s easier to do in Adobe CF for instance - dig into the web.xml and remove the Flex2 connectors, RDS and flash Remoting features - or just set a rule in Apache/NGINX to block them? (Answer, block them)
Ability to do things like inject Expire headers so the browser caches (certain) content, cache certain responses from Tomcat, etc.
You get a lot of useful things, which you may or may not need.
Blocking URIs, setting up digest authentication, IP blocking, RedirectMatches that return 404 for things you don’t want people poking around in, etc.
Many of those servlets/urls don’t even exist in Lucee but the theory and such still apply.
Lucee’s guide indicates similar Apache config recommendations. So if you’re locking down your server - which you SHOULD do, as a responsible developer/impromptu sysadmin/responsible net-citizen… All the docs indicate putting Apache in front, and you’ll have better guidance/documentation.
thanks for the tip.
