I recently took over the management of a website using a pure Tomcat 6 server (i.e. no combination Tomcat+Apache) with CPanel installed, which is only accessible on port 8088
(i.e. the main page URL is www.domain.com:8088
). I would like the site to be accessible at www.domain.com
, i.e. on port 80
. As per this article, I ran:
sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8088
sudo /sbin/service iptables save
and then rebooted. However, as before, www.domain.com
redirects to www.domain.com/cgi-sys/defaultwebpage.cgi
, CPanel's default webpage, which is located at /usr/local/cpanel/cgi-sys/defaultwebpage.cgi
. I get a 404 error when accessing any other page at www.domain.com
. It seems like CPanel is interfering with the use of port 80
. www.domain.com:8088
still works, though.
Here are the contents of /usr/local/tomcat/apache-tomcat-6.0.26/conf/server.xml
. Notice that I added proxyPort="80"
following port="8088"
so it will "act as if the incoming requests were directed to port 80", according to the article.
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8088" proxyPort="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/usr/local/tomcat/apache-tomcat-6.0.26/.keystore" keystorePass="[redacted]"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
Here are the relevant portions of my iptables file (obtained via less /etc/sysconfig/iptables | grep "80"
). IP addresses have been replaced with #
for privacy.
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08
-A POSTROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
-A acctboth -s ###.###.###.98 -i ! lo -p tcp -m tcp --dport 80
-A acctboth -d ###.###.###.98 -i ! lo -p tcp -m tcp --sport 80
-A acctboth -s ###.###.###.99 -i ! lo -p tcp -m tcp --dport 80
-A acctboth -d ###.###.###.99 -i ! lo -p tcp -m tcp --sport 80
-A acctboth -s ###.###.###.100 -i ! lo -p tcp -m tcp --dport 80
-A acctboth -d ###.###.###.100 -i ! lo -p tcp -m tcp --sport 80
-A acctboth -s ###.###.###.101 -i ! lo -p tcp -m tcp --dport 80
-A acctboth -d ###.###.###.101 -i ! lo -p tcp -m tcp --sport 80
-A acctboth -s ###.###.###.102 -i ! lo -p tcp -m tcp --dport 80
-A acctboth -d ###.###.###.102 -i ! lo -p tcp -m tcp --sport 80
-A acctboth -s ##.###.###.2 -i ! lo -p tcp -m tcp --dport 80
-A acctboth -d ##.###.###.2 -i ! lo -p tcp -m tcp --sport 80
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8088
Because the operating system is CentOS 5.10, which is not Debian-based, authbind
is not available so using it, as described in several answers here, is not an option.
How can I access the website on port 80
without being redirected to /cgi-sys/defaultwebpage.cgi
?
Edit: Here is the result of iptables -L -nv | grep 80
. All the ones with number signs go to my website:
37 1480 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433
360 29735 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1600 92619 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
701 59109 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
55 18046 ACCEPT all -- * * 0.0.0.0/0 <IP number 2>
122 8401 tcp -- !lo * ###.###.###.98 0.0.0.0/0 tcp dpt:80
113 56481 tcp -- !lo * 0.0.0.0/0 ###.###.###.98 tcp spt:80
0 0 tcp -- !lo * ###.###.###.99 0.0.0.0/0 tcp dpt:80
2 88 tcp -- !lo * 0.0.0.0/0 ###.###.###.99 tcp spt:80
0 0 tcp -- !lo * ###.###.###.100 0.0.0.0/0 tcp dpt:80
2 88 tcp -- !lo * 0.0.0.0/0 ###.###.###.100 tcp spt:80
0 0 tcp -- !lo * ###.###.###.101 0.0.0.0/0 tcp dpt:80
1 44 tcp -- !lo * 0.0.0.0/0 ###.###.###.101 tcp spt:80
0 0 tcp -- !lo * ###.###.###.102 0.0.0.0/0 tcp dpt:80
0 0 tcp -- !lo * 0.0.0.0/0 ###.###.###.102 tcp spt:80
0 0 tcp -- !lo * <IP number 3> 0.0.0.0/0 tcp dpt:80
0 0 tcp -- !lo * 0.0.0.0/0 <IP number 3> tcp spt:80
Best Answer
This is not true because
netstat -anp | grep :80
returned :You can shut it down if you want
Tomcat
be your main Web Server.Then run your iptables prerouting rule :
And it should work.