One of my projects uses a self hosted executable that is accepting incoming connections on port 80. The package has an embedded Jetty so I didn't need to deal with any low level TCP stuff. That is the good part. The bad part is that it turned out that the hosting environment (Ubuntu linux) for security reasons by default does not allow a non-root user to use any TCP port below 1024 - so the first free for all port is 1024.
                                                                                                                         
One easy solution would be to set up Nginx and forward the traffic it receives on port 80 to my self hosted app on a different port. Quite easy to set up but why waste a network hop when I didn't really need any feature Nginx could offer?
                                                                                                                         
Installing authbind

Luckily I'm not the only one with this kind of issue out there. In fact, authbind was released in 1998. To install, I simply did an apt-get install authbind and that's about it. The configuration is a bit trickier as we need to create a file in /etc/authbind/byport directory by the user who wants to access the specific port. So, in my case I needed a file called 80 owned by the user who is allowed to access that port.

Convincing Java to play nice with authbind

After creating the file we can test it right away whether we have permission to open that port. Simply using netcat: authbind nc -l 80 should not throw an error. So far, so good. Unfortunately by default Java will try IPv6 so it won't be able to use this port (authbind is IPv4 only). The only easy solution is to force Java to use IPv4 stack instead of v6:
                                               
authbind --deep /usr/bin/java -Djava.net.preferIPv4Stack=true -jar mypack.jar       
                                                                                 
(The --deep option allows any child process to inherit the permission for the port)

Another solution - iptables

Some people dislike setting up iptables on production as it can cause really funky errors and if done remotely it's quite easy to lock out ourselves from the machine. However, iptables can forward traffic from any port to any other port simply using:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Again, it's a bit hard-wired solution, so probably setting up Nginx to forward the traffic is a bit more user friendly setup.

Comments

Post a Comment

Popular posts from this blog

MurMurHash3, an ultra fast hash algorithm for C# / .NET

Image
Finding good hash functions for larger data sets is always challenging. The well know hashes, such as MD5, SHA1, SHA256 are fairly slow with large data processing and their added extra functions (such as being cryptographic hashes) isn’t always required either. Performance and low collision rate on the other hand is very important, so many new hash functions were inverted in the past few years. One of the most notable ones is MurMurHash3, which is an improved version of its predecessor (v2). The new version can create both 32 bit and 128 bit hash values, making it suitable for a wide range of applications. 64 bit architecture The 32 bit hash isn’t too important for large amount of data matching, so I only worked with and tested the 128 bit version. The latter one is optimized for x86-64 architecture, giving amazing speeds for data processing. As a 128 bit value consists of two 64 integers, the processor is fairly good with working with such large hash values – they are not byte
. . .

Read more »

ESP32 - send a push notification from the Arduino ESP32 device to your phone

Image
Sending a push notification to your phone from an event from an ESP32 is simple. What you'll need (if you are using a Mac for development): Arduino IDE Arduino for ESP32 Serial port simulator for ESP32 to upload your code to the board Wifi network IFTTT account IFTTT app on your phone Wifi network that your ESP32 board can access Architecture Create an IFTTT applet This should read something like this: If Maker Event "notification", then Send a notification from the IFTTT app Change the notification template Go to the settings of your new IFTTT applet and change the template to include "Value1", like this: Get your Webhook endpoint in IFTTT On your applet, click the triangle looking thing (webhook), then Settings, or simply go to this URL  https://ifttt.com/maker_webhooks/settings   Visit the private URL in your browser, replace the trigger name with "notification", so it reads like ...trigger/notification/ with/... and in the Value1 field type in a
. . .

Read more »

Octoprint as a systemd service - running it with high priority

Image
Octoprint provides remote access to your 3D printer, and as it's written in Python, you can run it on practically any operating system. If you are using a standard Raspberry PI image (for instance, because you run it on an Orange PI ), rather than the customised Octoprint image, you can manually install it and create a systemd service to run it: Add this to /etc/systemd/system/octoprint.service  [Unit] Description=Octoprint After=network.target [Service] ExecStart=/home/pi/octoprint/bin/octoprint serve WorkingDirectory=/home/pi/octoprint StandardOutput=inherit StandardError=inherit Restart=always User=pi CPUSchedulingPolicy=rr CPUSchedulingPriority=80 [Install] WantedBy=multi-user.target Then run sudo systemctl daemon-reload sudo systemctl enable octoprint This will start Octoprint on every reboot with a high priority (so unlikely to stutter during printing).
. . .

Read more »