-
1. Re: Which ports are required to jboss 5.0.1 GA
jaime.chavarriaga Jul 22, 2011 1:53 PM (in response to grojas)1 of 1 people found this helpfulFor web applications and services, usually you only use the AJP port when you also install a web server (e.g. Apache). If you don't install a webserver, you must allow the access to the HTTP and HTTPS ports.
If you are securing your web applications, disabling other ports in the JBoss is not absolutely necessary. You can use your firewall (e.g. Iptables in Linux) to restrict the access to the other ports.
Typical configuration
Typical JBoss configuration uses a web server or load balancer (e.g. Apache Web Server) receiving the web requests. The JBoss can be installed behind your web server and you can restrict the external access to all the ports excepting standard HTTP (80) and HTTPS (443) ports.
Using this configuration,
- web browsers will connect to the webserver (e.g. apache) using HTTP or HTTPS port
- apache connects to JBoss to execute the application using the AJP port
In this case, you can restrict the access to all the JBoss ports.
- If you are using one machine, you can use your firewall and enable only the access to the webserver, and execute the JBoss to only get connections from localhost (127.0.0.1)
- If you are using several machines, you can configure the firewall of the load balancer and enable only access using HTTP or HTTPS, and configure the firewall of the JBoss servers to only permit the access from the load balancer using the AJP port (8009)
Specifying ports and addresses for JBoss
As i remember, by default, JBoss will run using only connections from localhost (127.0.0.1) and a set of ports. You can specify which ip addresses and ports JBoss must use.
In the command line, if you only want local connections, you can bind the server to localhost only.
run -b 127.0.0.1
If you want connections from all the machines, you can bind the server to all the available ip addresses
run -b 0.0.0.0
If you want to use another set of ports, you can use
run -Djboss.service.binding.set=ports-01
additional information in http://community.jboss.org/wiki/ConfigurePorts
Configuring the web server
You can use the mod_proxy module for Apache to redirect some URLs to web applications in your JBoss
For example, to expose an application called demo you can include in your httpd.conf
ProxyPass /demo ajp://localhost:8009/demo
Configuring the Linux firewall
You can configure your firewall to disable external connections to some ports. Usually, all the ports are protected and you must configure which ports are accesible by external clients and applications.
Also, if you don't wanna use a webserver, you can use the firewall to redirect connections to standard web ports (80) to the JBoss web ports. For example, using iptables you can redirect the web requests to the 8080 port
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport http -j REDIRECT --to-ports 8080
The firewall configuration depends on your linux distro
- http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-IPTables.html
- http://www.xenocafe.com/tutorials/linux/redhat/iptables/iptables_linux_redhat-part1.php
- http://wiki.centos.org/HowTos/Network/IPTables
- http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-fw.html
Disabling ports In JBoss
If you want to disable some ports, you must take care about which must be enabled or disabled. (The use of a firewall is a better idea)
- web browsers/web services require HTTP (8080) or HTTPS (8443) ports
- web servers or load balancers require AJP (8009) port
- RMI clients require RMI ports
- EJB clients (possibly) require RMI, Naming and EJB ports
- EJB with complex transactions (e.g. two-phase-commit) require JBossTS
- etc.
For the HTTP, HTTPS and AJP ports, you can modify a configuration file
- <jboss_home>/server/all/deploy/jbossweb.sar/META-INF/jboss-service.xml
You can disable some additional ports manually modifying these files
- <jboss_home>/server/all/conf/jboss-service.xml
- <jboss_home>/server/all/deploy/cluster-service.xml
- <jboss_home>/server/all/deploy/jbossmq-service.xml
- <jboss_home>/server/all/deploy/hsqldb-service.xml
- <jboss_home>/server/all/deploy/jmx-rmi-adaptor.sar/META-INF/jboss-service.xml
additional information in http://community.jboss.org/wiki/ConfigurePorts
-
2. Re: Which ports are required to jboss 5.0.1 GA
grojas Jul 22, 2011 4:11 PM (in response to jaime.chavarriaga)Hi Jaime:
I will try all the possibilities and options given, it is a very comprehensive answer for me. Specially the item "Disabling ports In JBoss" i'll be careful.
Thanks a lot.