wiki:Software/Productionalisation/RunningOnPortEighty
Last modified 7 years ago Last modified on 08/31/12 10:36:26

Running RaptorWeb on port 80

Setting up RaptorWeb to run on port 80 is fairly easy. If you're using linux you have one of two choices - iptables port redirection, or proxying with Apache. Windows users can just do the proxying. Just follow the relevant instructions below...

Option 1 - iptables port redirection

Use iptables to preroute port 80 traffic to port 8112. This means that RaptorWeb is still running on :8112, but the outside world can contact it on :80. To achieve this, you need to add a prerouting command. See the iptables instructions for your particular distribution to see how to do this, but for CentOS/Redhat, you just need to edit /etc/sysconfig/iptables to look like something like the following:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j  REDIRECT --to-port 8112
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

#### Accept any traffic on localhost, any ICMP, and any established sessions
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#### Allow SSH on :22
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#### Allow HTTP for raptor mua on :8111 and web (redirected to :8112 by NAT prerouting above)
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8112 -j ACCEPT

#### Reject everything else!
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

Option 2 - Proxying with Apache

Step 1. Install Apache

On the server on which RaptorWeb is installed, install Apache HTTPD.

  • On Windows, go to http://httpd.apache.org/ and download and install the MSI.
  • On Linux, install Apache HTTPD through your package manager. For example, on RHEL/CentOS do the following:
    yum install httpd mod_ssl
    

Step 2. Configure Apache to Proxy to RaptorWeb

Next, you need to tell Apache HTTPD to proxy requests for https://YOURSERVER/ to http://localhost:8112/ by inserting a ProxyPass / http://localhost:8112/ directive into your Apache configuration.

For example, on RHEL/CentOS create a new file called /etc/httpd/conf.d/raptorweb.conf with the following content:

ProxyPass / http://localhost:8112/

Step 4. Firewall config

If you have a firewall, open :80 to allow people to access your new server. Don't forget to close :8112 to stop direct unsecured access!

For example, on linux/iptables you will want the following line in /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

Step 5. Restart and test

Restart the apache daemon/service and try to access http://YOURSERVER/. If you see the RaptorWeb login page, then your job is done.

Troubleshooting

SELinux blocking proxying

Problem

A common problem on linux with selinux enabled is that by default the httpd daemon is not allowed to connect to network services. This problem manifests itself with the following symptoms:

  • You see an apache error page when trying to access http://YOURSERVER/
  • Your /var/log/httpd/error_log shows the following line:
    [Wed Aug 08 19:16:15 2012] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:8112 (localhost) failed
    

Solution

To fix, issue the following command (as root):

setsebool -P httpd_can_network_connect 1