Archive for the 'Tech' Category

Redirect HTTP and HTTPS traffic to Tomcat’s ports

June 11, 2009

Apache Tomcat likes with default settings to listen to requests on 8080 and 8443 ports but it is more enjoyable to use the more common 80 and 443 ports for HTTP and HTTPS traffic. This way the user don’t have to put those pesky port numbers after the address. Of course you could just tell Tomcat to listen to those ports but it has some negative sides: hassle with the startup and running Tomcat as root.

Luckily it is easy to tell the system to redirect the traffic from some port to other. Just define some new xinetd services in /etc/xinetd.d/tomcat.

# vim /etc/xinetd.d/tomcat
# Redirects any requests on port 80 to port 8080 (where Tomcat is listening)
service tomcat-http
{
        disable                 = no
        flags                   = REUSE
        wait                    = no
        user                    = root
        socket_type         = stream
        protocol                = tcp
        port                    = 80
        redirect                = localhost 8080
        log_on_success  -= PID HOST DURATION EXIT

        #per_source = UNLIMITED
        #instances = UNLIMITED
}

# Redirects any requests on port 443 to port 8443 (where Tomcat is listening)
service tomcat-https
{
        disable                 = no
        flags                   = REUSE
        wait                    = no
        user                    = root
        socket_type         = stream
        protocol                = tcp
        port                    = 443
        redirect                = localhost 8443
        log_on_success  -= PID HOST DURATION EXIT

        #per_source = UNLIMITED
        #instances = UNLIMITED
}

(via Securing Linux for Java services: The port dilemma)

Xinetd puts a connection limit per source IP, by default and this causes the service to become unresponsive when there are dozens of queries a second. You see the following kind of line in your messages log file: “xinetd[2049]: FAIL: tomcat-https per_source_limit from=123.456.789.123”. To correct this, uncomment the per_source and instances lines in your xinet.d file and restart it.

Also add those xinetd services to /etc/services.

# vim /etc/services
http        80/tcp     www www-http tomcat-http # WorldWideWeb http
http        80/udp     www www-http tomcat-http # WorldWideWeb HTTP
http        443/tcp    tomcat-https # WorldWideWeb HTTPS
http        443/udp    tomcat-https # WorldWideWeb HTTPS

And now just restart the xinetd and admire how your traffic is redirected to Tomcat’s ports.

# service xinetd restart

Force everything to transmit through HTTPS
If you also want to redirect all HTTP traffic to HTTPS you can add the following section to you Tomcat web.xml:


     <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
          <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <<!-- auth-constraint goes here if you requre authentication -->
      user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
  

If you are using this redirection of all traffic to HTTPS with JIRA and want to attachments working also with Internet Explorer then you must add the following to your jira.xml (f. ex. /opt/tomcat/conf/Catalina/localhost/jira.xml). This is a Internet Explorer bug, for more information see http://jira.atlassian.com/browse/JRA-8179.

<Context ...>
...
<!-- for IE bug, see http://jira.atlassian.com/browse/JRA-8179-->
<Valve className="org.apache.catalina.authenticator.NonLoginAuthenticator"
disableProxyCaching="false" />

...
</Context ...>
Advertisements

Keeping up with the time in Xen

January 21, 2008

A simple tip for keeping up with the time in Xen when your domU isn’t syncing the clock frequently enough and your clock is whatever. Of course you can sync your clock with ntpdate but first you need to set the domain (domU) to run its wallclock independently from Xen.

Simply say in the command line of domU:

echo 1 > /proc/sys/xen/independent_wallclock

Or if you have noclobber on:

echo 1 >! /proc/sys/xen/independent_wallclock

To reenable tracking of Xen wallclock:

echo 0 > /proc/sys/xen/independent_wallclock

And to keep the setting between reboots, just add it to the /etc/sysctl.conf:

xen.independent_wallclock = 1

Although, it is better if the Xen dom0 syncs the clock frequently so all the domains (domU) don’t need to do it by themselves and thus wasting resources. Why do things multiple times when it could be done just once.

Samba performance problem after kernel update

December 25, 2007

Samba is a nice service to provide storage space through networks and it is relatively easy to set up. It’s not as fast as using NFS between Linux hosts but sometimes you don’t have that possibility. Sometimes there also might be quite confusing problems like I happened to notice.

My Samba service had worked fine for a long time but after a kernel update and a reboot, the performance was horrible. It was really slow to do anything. Fortunately I wasn’t the only one to come by with this problem and there was a topic Samba Performance Problem Due to Changing Linux Kernel in Samba Performance Tuning -guide which provided a solution to my problem. Just restarted the network interface and the performance was as good as before.

Earlier this month Samba Team Received Microsoft Protocol Docs so maybe in the near future we will get better and faster software.

The Protocol Freedom Information Foundation (PFIF), signed an agreement with Microsoft to receive the protocol documentation needed to fully interoperate with the Microsoft Windows workgroup server products and to make them available to Free Software projects such as Samba.

Microsoft was required to make this information available to competitors as part of the European Commission March 24th 2004 Decision in the antitrust lawsuit, after losing their appeal against that decision on September 17th 2007.
Samba Team