注:需要转载的朋友请注明出处,. 作者:akawks
这两天在搞一个项目,为了让resin不在root权限下运行,在网上查了不少相关资料,发现当resin配置的端口小于1024时,就必须要用到root权限才能运行,没有资料符合我的要求。而且为了让resin在80端口上运行,并且在非root权限跑,在一定程度上增加系统的安全性。所以决定研究一下在非root权限下resin跑80端口方法。
正当我不知所措的时候,我发现在resin的目录下面有一个contrib目录,我想应该很少人会关注这个目录吧。在网上根本找不到与这个目录相关的资料。呵呵。。。然后我用vi打开这目录的文件init.resin发现:
------------------------------------------------------------------------------
#!/bin/sh
#
# Linux startup script for Resin
#
# chkconfig: 345 85 15
# description: Resin is a Java Web server.
# processname: wrapper.pl
#
# To install, configure this file as needed and copy init.resin
# to /etc/rc.d/init.d as resin. Then use "# /sbin/chkconfig resin reset"
#
JAVA_HOME=/usr/local/jdk150 #指定JDK路径
RESIN_HOME=/usr/local/resin #指定resin的安装路径
PID=$RESIN_HOME/resin.pid
export JAVA_HOME RESIN_HOME
#
# If you want to start the entire Resin process as a different user,
# set this to the user name. If you need to bind to a protected port,
# e.g. port 80, you can't use USER, but will need to use bin/resin.
#
USER=resin #指定resin运行的用户,在这里我设置为运行的用户为resin
#
# You can change this to $RESIN_HOME/bin/resin if you need Resin to
# bind to port 80, but run as a different user.
#
EXE=$RESIN_HOME/bin/httpd.sh
#
# Sets the commandline arguments.
#
ARGS="-java_home $JAVA_HOME -resin_home $RESIN_HOME"
case "$1" in
start)
echo -n "Starting resin: "
if test -n "$USER"; then
su $USER -c "$EXE -pid $PID start $ARGS"
else
$EXE -pid $PID start $ARGS
fi
echo
;;
stop)
echo -n "Shutting down resin: "
$EXE -pid $PID stop
echo
rm -f $PID
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
-----------------------------------------------------------------------------------
我把以上的环境设置好,接着打开contrib目录下的init.resin-iptables文件:
-----------------------------------------------------------------------------------
#!/bin/sh
#
# Linux mapping of port 80 and 443 to 8080 and 8443
#
# chkconfig: 345 84 16
# description: Linux mapping of port 80 and 443 to 8080 and 8443
# processname: wrapper.pl
#
# To install, configure this file as needed and copy init.resin-iptables
# to /etc/rc.d/init.d as resin-iptables.
# Then use "/sbin/chkconfig resin-iptables reset"
#
#
# Sets the commandline arguments.
#
case "$1" in
start)
echo -n "mapping port 80 and 443 to 8080 and 8443: "
/sbin/iptables -t nat -A PREROUTING -i eth+ -i lo -p tcp \
--dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A PREROUTING -i eth+ -i lo -p tcp \
--dport 443 -j REDIRECT --to-port 8443
echo
;;
stop)
echo -n "unmapping port 80 and 443 "
/sbin/iptables -t nat -D PREROUTING -i eth+ -p tcp \
--dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -D PREROUTING -i eth+ -p tcp \
--dport 443 -j REDIRECT --to-port 8443
echo
;;
restart)
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
------------------------------------------------------------------------------------
在这个文件里有一个关键的命令:
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
这个命令是iptables防火墙规则,通过nat转换来实现配置resin的8080端口映射到80端口.
到了这一步,我们还要增加以下两条iptables规则:
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
防火墙配置完成了。
这时候还没有完成。记得上面提到contrib目录下的init.resin文件吧。我们现在要做的就是把init.resin文件拷贝到/etc/init.d/目录下,并改名为resin:
cp resin/contrib/init.resin /etc/init.d/resin
然后我们再把它加入随系统自动启动:
chkconfig --add resin
查看一下resin在chkconfig下的系统状态:
chkconfig --list | grep resin
显示:
resin 0:off 1:off 2:off 3:on 4:on 5:on 6:off
看到345的状态为on,说明在下次服务器启动的时候,resin会随着系统的启动而启动。
这一步完成了。基本上是大功告成了。不过有一点要注意的是,在手动启动resin的时候不能用resin/bin/httpd.sh这个文件来启动,一定要用service resin start的命令来启动resin.
阅读(1993) | 评论(0) | 转发(0) |