EDIT: I didn't make clear that this works fine on port 80 but not port 8080.
I have a simple server to test OAuth2 written in Golang. It defaults to port 80. I compile it, then run like this:
$ sudo setcap 'cap_net_bind_service=+ep' ./c3
$ nohup ./c3
Works like a charm.
My goal is to show how it works differently depending on configuration, and I'd like the vendor's support team to be able to log onto either version, simply depending on whether they append :8080 to the site's URL.
I have a -port option, so I open another terminal, log into EC2, and run this:
$ sudo setcap 'cap_net_bind_service=+ep' ./c3
$ nohup ./c3 -port=8080
This doesn't connect to mysite.com:8080 and I can't figure out why. The program just hangs.
My security group rules allow all outbound traffic. Inbound is restricted to 80, 8080, 22, and 443.
Related
I have created a Google compute instance with Container-optimized-OS image.
I have configured the firewall to allow http and https.
I am using the docker image with spring boot application which connects to cloudsql. When I use run command on compute engine instance ssh, i.e. (docker run --rm name), the spring boot app is started successfully.
When I try to access the webservices through compute engine instance external ip, it is not working.
I went through a different question, and found that I should try using the sudo wget http://localhost command on the instance cli first and if it is good then everything should be good. But I am getting a connection refused message on 127.0.0.1:80.
I also tried the command to open port from Container optimized OS, I.E.
sudo iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT , nothing is working.
The default port for Spring Boot is 8080 and not 80.
Run this command inside the instance container to see what ports are in LISTENING state:
sudo netstat -tulpn | grep LISTEN
You can redirect port 80 to port 8080 with this command:
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Note: This iptables command only redirects port 80 to 8080 on network interfaces. This has no effect for localhost or 127.0.0.1.
For Google Compute Engine instances you do not need to enable ports using iptables. This is done via Google VPC firewall rules. You can use both but make sure you understand exactly what you are configuring and the side effects.
Note: Your Spring Boot application needs to listen on 0.0.0.0 and not 127.0.0.1 nor localhost. The last two are internal only addresses. 0.0.0.0 means listen on all network interfaces.
Note: Do not use sudo in front of wget. This is not necessary.
First, confirm what port your springboot application uses - if it's 8080 or 80. This depends on what you have configured inside application.properties file. This port is referred to as ContainerPort in below steps.
Execute docker run <image-name>:<tag>. This will run the image and show container logs on the console. If there is something wrong with your spring-boot app, the logs will show that and the container will shutdown. Press Ctrl+C to stop the container and return to shell.
If there is no error in step 1 run docker run -d -p<HostPort>:<ContainerPort> <image-name>:<tag>. Here HostPort is any free port in your GCP host VM and ContainerPort is the port used by your spring boot application within the container. Option d starts your container in detached mode.
Run docker ps and make sure that the container started in step 2 is running. It may not run if there is an error - for example if the HostPort you specified is already in use.
If step 3 shows that the container is running, execute curl http://localhost:<HostPort>/<End-Point-Path>. Here End-Point-Path is a valid path to a working endpoint within the container. If the endpoint is correct you should see expected result from the spring-boot app in the console.
Navigate to Google Cloud Console -> VPC network -> Firewall rules and add a firewall rule to open HostPort on your GCP VM.
Access your endpoint via the VM's external IP with URL - http://<VM-External-IP>:<HostPort>/<End-Point-Path>
Unless there is an application issue with your spring-boot app these steps should get you going.
I was able to build the correct solution by your help (John Hanley and Cyac).
I am combining both solutions in order to help the next person facing this.
As told by John, by default Spring boot uses port 8080, not 80 and as specified by Cyac you need to specify the port as 80 explicitly in application.properties file using
server.port=80
Make sure you expose the port 80 in docker image
On GCP Contaier optimized OS make sure you have allowed traffic for HTTP and HTTPs
Run command:
sudo iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT
Run docker using:
docker run -p 80:80 SPRING_IMAGE.
Where SPRING_IMAGE is the name of the docker image with spring boot build.
Test by using curl http://localhost/ENDPOINT_NAME , e.g. http://localhost/shops/all
The first time when I tried to run SonarQube with root user this fails. Searching in internet I find that the new Sonar should be execute by a non-root user. I created the user sonar with the folow command useradd -m -s /bin/bash sonar and I executed chmod -R 777 sonaqube-7.0. Then I loggin with sonar user: sudo su sonar. When I execute ./sonar.sh console all works fine. But when I change the port by default 9000 to port 80, this fails. Using the command netstat -plunt I check if the port 80 is in use, but the only ports that I use is 22 (sshd), 5432 (postgres) and 25 (exim4).I thinks that this happed because the user sonar has not permission to use the port 80. How cant I use the port 80 with SonarQube?
My current Operating system is debian 9
Your current inability use SonarQube via port 80 is actually due to a limitation provided by nearly all Linux distributions: privileged ports.
All ports below 1024 cannot be listened on by programs executed by non-root users — that is, only the user "root" may run programs that run on these ports. This is to provide assurance that when you connect to an application running on that port, the application is "the real thing" and not a fake put up by a hacker.
Because SonarQube does not allow you to execute it as root, proxying port 80 to a port that is above 1024 that SonarQube is executing on is the only way to get around this limitation.
Exists some ways to allow non-root user use the port 80 and 433, using iptables to redirect the port petitions, CAP_NET_BIND_SERVICE and authbind. The way more easy isauthbind.
Use authbind to grant one-time access, with finer user/group/port control:
The authbind (man page) tool exists precisely for this.
Install authbind using your favorite package manager.
Configure it to grant access to the relevant ports, e.g. to allow 80 and 443 from all users and groups:
sudo touch /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 777 /etc/authbind/byport/80
sudo chmod 777 /etc/authbind/byport/443
Now execute your command via authbind (optionally specifying --deep or other arguments, see the man page):
authbind --deep /path/to/binary command line args
E.g.
authbind --deep java -jar SomeServer.jar
This option grants trust to the user/group and provides control over per-port access but, AFAIK, supports only IPv4.
These are the links that I used to document me:
allow non-root process to bind to port 80 and 443
Is there a way for non-root processes to bind to "privileged" ports on Linux?
how to run a server on port 80 as a normal user on linux
I´ve got a Server behind a firewall and the firewall only allows traffic through port 22. This server has both public and private addresses.
I´ve got also about 1K clients that I need to reverse shell to this server, and be able to choose one of them by id when I want that ssh reversed tunnel.
My goal is to make the clients connect to ssh server via port 22, and each one of this connections should be forwarded to localhost on port with the same id.
When I connect to the server with my laptop also via ssh, I would then ssh to localhost on the correct id and get the client shell.
Can someone provide me the good path to achieve this behaviour using bash, ssh and linux tools?
Note - I don´t want to use client.py and server.py cause most of my clients are android based and it could easily become a nightmare to install python on all of them.
The problem - it was solved using remote port forwarding:
ssh -R 21:localhost:8888 user#server
In this command the 8888 represents the terminal id. In order for this to work, had to add this line to my ssh conf:
GatewayPorts yes
We have to use port 80 for our server. But when I was trying to use it in Mac, it always said that the 80 is used, but I don't know which program uses it.
I searched it in Google, and someone said it's about apache, but I tried, which is not working. I found this: https://gist.github.com/kujohn/7209628 , but seems it's not working visiting our server by IP address.
I really don't know what's going on and how can I find out which program using port 80 and stop it.
Many thanks if anyone can help, I'm new using Mac. Thanks.
To find out what process is using port 80
go to Applications
open utilities.
open Activity Monitor.
click on the Memory tab,
look at the ports and the processes using them. Find port 80 and select it
go to the view on the menu bar and choose Quit process.
This will just kill the process, it will not stop a server instance that is already running from continuing to run.
(Correction: the Ports column shows the number of open ports (and files?), not the port number)
It is not clear if you are using a database management system or not and which one but one method that has worked for me using MAMP is as follows.
stop the server by using sudo apachectl stop command.
then change the port to port 80.
then restart your servers.
type the following in Terminal
sudo lsof -i -n -P | grep TCP
you will get a list - e.g. dropbox listens on 80
you can copy the output to a text editor, etc to search
On Mac ports below 1024 can only be bound by the root user.
Try launching your server as root user (with sudo), or try to use a port above 1024.
You can also try to add root permissions to your user in /etc/sudoers
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
your_user_here ALL = (ALL) ALL
I was having this issue, apache was disabled via launchctl, but was still tying up port 80 after launch, I could start up apache and it would work, but after unloading it, I couldn't start up anything on port 80. I was using the built in web server for Python as an easy test. It would work on port 81, but not on port 80.
sudo python -m SimpleHTTPServer 80 -- wouldn't work
sudo python -m SimpleHTTPServer 81 -- would work
Here are the symptoms:
$ launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist
/System/Library/LaunchDaemons/org.apache.httpd.plist: Could not find specified service
$ sudo lsof -i ':80'
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Python 3353 root 3u IPv4 0xe455777a82799f05 0t0 TCP *:http (LISTEN)
The fix for me (after way too much searching) was simple:
sudo pfctl -F all
This flushed the packet filter, releasing port 80 (and others I assume 8080, 443, whatever ports apache might be tying up)
After that, and relaunching the python server, it came right up.
Might be Skype that is using port 80. If you have Skype installed and running try to change to a different port in the settings.
Port numbers in the range from 0 to 1023 are classified as 'well-known' and port number 80 is reserved for HTTP. Typically you have servers listening on port 80 to handle HTTP requests.
Source:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
I just started experiment with EC2 tonight, and got a server running locally. I know it works locally because when I curl http://localhost:8080/hello it outputs hello.
I want to access this from the outside world. I modified my permissions in my security group to allow 8080 access, and then typed in "curl http://ec2-123-45-67-891.compute-1.amazonaws.com:8080/hello" into my local terminal. I got the response "curl: (7) couldn't connect to host".
Do I need to do something differently? (Obviously yes, but what?)
Have you bound your server only to localhost? If so, you'll only be able to connect from localhost.
Check the netstat output for your process with something like:
sudo netstat -ltnp | grep your_server_process
Look for whether your server process is bound to 127.0.0.1:8080 or 0.0.0.0:8080. If the former, then you're only bound to localhost and you need to reconfigure it.
I met the same issue. Try use 0.0.0.0 instead of 127.0.0.1.
You allowed access on 8080, but in your localhost example, it's running on port 80.