starting tomcat on port 80 on CentOS release 5.5 (Final)

Question

I want to start Tomcat 6.0.29 on port 80. My OS is CentOS release 5.5 (Final) I changed following line in $TOMCAT_HOME/conf/server.xml

<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>

to

<Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="8443"/>

Then I run command:

sudo /etc/init.d/tomcat6 start

In file $TOMCAT_HOME/logs/catalina.log I found such exceptions:

java.net.BindException: Permission denied <null>:80
    at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:549)
    at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
    at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
    at org.apache.catalina.connector.Connector.start(Connector.java:1087)
    at org.apache.catalina.core.StandardService.start(StandardService.java:534)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.net.BindException: Permission denied
    at java.net.PlainSocketImpl.socketBind(Native Method)
    at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:365)
    at java.net.ServerSocket.bind(ServerSocket.java:319)
    at java.net.ServerSocket.<init>(ServerSocket.java:185)
    at java.net.ServerSocket.<init>(ServerSocket.java:141)
    at org.apache.tomcat.util.net.DefaultServerSocketFactory.createSocket(DefaultServerSocketFactory.java:50)
    at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
    ... 12 more
0:11:56 org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: `java.net.BindException: Permission denied <null>:80
    at org.apache.catalina.connector.Connector.start(Connector.java:1094)
    at org.apache.catalina.core.StandardService.start(StandardService.java:534)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
0:11:56 org.apache.catalina.startup.Catalina start`

Thanks in advance

Answer 1

The ports in the range 1-1023 are privileged. Only root is allowed to bind to them.

There is at least two ways to solve this:

• Run as root. You need to weight the extra security risks this infers, of course; both security holes in Tomcat itself (which I believe to be few) and those your web applications contains (which can for example lead to letting people read /etc/shadow as an example), against this being simple and straight-forward.

• Run as service with jsvc. See http://tomcat.apache.org/tomcat-5.5-doc/setup.html for details on jsvc. It is some extra hassle to setup, but root will only be involved in setting up the ports, Tomcat will then run as a user without special rights. I recommend this for any serious setup.

Regardless on what way you choose, the actual starting of Tomcat will need root privilegies.

///BR, JenEriC

Answer 2

Run Apache in front of Tomcat and connect all requests on Port 80 (Apache) to Tomcat on the AJP port (8009) using mod_rewrite.

yum install httpd
chkconfig httpd on
vi /etc/httpd/conf.d/proxy.conf

RewriteEngine On
RewriteRule ^/(.*)$ ajp://localhost:8009/$1 [P,QSA,L]

service httpd start

You're done.

Answer 3

Another option is to use authbind.

From Wikipedia:

The authbind software allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user.

See this article about how to configure authbind to work with Tomcat 6 listening on port 80:

Answer 4

You can change AUTHBIND property of "/etc/default/tomcat6" to "yes" as follows

AUTHBIND=yes

Restart your tomcat and that will enable you to use available privileged port (1-1023).

Answer 5

i use nginx 2 bind 80 to 8080 which is the port that tomcat bind to.

my nginx configure is like this:

{ server

listen 80;
   #which you can edit in /etc/hosts file.It can bind mydomain.com to 127.0.0.1
server_name mydomain.com; 
location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://127.0.0.1:8080;
}
access_log logs/xxx456.tk_access.log;

}

Answer 6

go to address: /tomcat7/server.xml, edit file: use attribute porxyPort="80"

<Connector port="8080" ... proxyPort="80"/>

which will cause servlets inside this web application to think that all proxied requests were directed to www.mycompany.com on port 80.