2011/12/08

Colon Eighty Eighty

Imagine ... you are showing off this killer NetKernel app (when did we actually stop writing the word application in full ?) that shows ROC in all its intricate beauty to <enter whomever you want to impress here>.

Instead of eyes glazing over you get this question : why is there colon eighty eighty at the end of your URL ? Not quite the reaction you had hoped for.

And maybe you don't know the answer either. This post will answer the question as well as show a couple of ways to eliminate the need for colon eighty eigthy.


Lets start at the beginning. Our server gets questions in the form of http, ftp, ssh, telnet, ... Each of these questions it expects at a port in the Well Known Port range (1 - 1023, managed by IANA). For example, http is expected at port 80 and if your server wants to handle http it will have a daemon/service listening at port 80 for incoming requests.

As an extra security measure on *nix systems only the superuser (root) can start a daemon that listens at a Well Known Port (also known as Privileged Port for that very reason). Yes, that is a security measure, the idea being that if the daemon is started by root, it must be the real deal.

There is however a flip side to that coin. If a malicious request succeeds in breaking through the daemon (code injection, ...) to the underlying system, it does so as root.

That is the reason that - for example - Oracle is running as user oracle and expecting SQL requests at port 1521. You may still destroy the database, but the system will - probably - survive.

While you can run NetKernel as a superuser you are advised not to do so. For the build-in Jetty webserver this is even the default (as an afterthought running as a superuser has been added, but it is still not the default). So NetKernel's http handlers are not supposed to listen at port 80. They listen on port 1060 (Backend HTTPFulcrum) and on port 8080 (Frontend HTTPFulcrum) instead.

When unspecified in an URL, the Well Known Port for the protocol is knocked at. So we can specify http://www.google.com instead of http://www.google.com:80. To reach the Frontend HTTPFulcrum however, you have to specify colon eighty eighty.


So far for the why. And I can hear you say ... fine, fine, but I just failed to impress <enter whomever you wanted to impress here>. To hell with all the good reasons, I want to get rid of that extension. You can.

There are two main approaches :
  • Let the firewall route inbound requests for port 80 to another port.
  • Let the daemon that listens at the Well Known Port route requests to another port.
The first approach speaks for itself, the second approach sounds a bit weird, but think about it, how many cloud servers come with the webserver on port 80 already preconfigured. Leave it there and let it do the heavy lifting for you !

Here's an iptables entry that can serve for the first approach :
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080

Here's an apache vhost entry that can serve for the second approach :
<VirtualHost *:80>
  RewriteEngine On
  RewriteRule ^/(.*) http://localhost:8080/$1 [P]
</VirtualHost>


As you can see solutions exist, next time you can focus on being impressive !
at Thursday, December 08, 2011