Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Running DSpace on Standard Ports (80 for http:// and 443 for https

...

://)

Since it is not trivial to get a Java servlet container, such asas Apache Tomcat, to  to listen on the "standard" TCP ports for a Web web server, this page explains alternative ways to accomplish it.

What does "port" mean? A server program, like a web server, has to "listen" (i.e. tell the operating system it is offering a service; accepts incoming requests) at a well-known port so that clients, like your Web web browser, can find it. The combination of host and port uniquely identifies a service:
For example, the URL http://dspace.mit.edu/  identifies a network service running on host dspace.mit.edu and port 80 (the default HTTP port).

It is desireable desirable to implement DSpace on the default ports so you don't have to clutter your URLs with port numbers and try to get users to remember them.

The problem arises on Unix-based servers because the default, well-known, Web web server ports are in the range that require root (superuser) privileges to listen toon. Since the DSpace server (a Java VM) should always be running as an unprivileged user, it cannot directly open these ports. It can only listen on higher-numbered ports. So, the solution is to run the JVM as an unprivileged user and find a way to accept Web HTTP requests on the standard ports and redirect them to the higher-numbered ports and redirect them to the higher-numbered ports.

Warning

When using Apache 2.4.2 (and lower) in front of a DSpace webapp deployed in Tomcat, mod_proxy_ajp and possibly mod_proxy_http breaks the connection to the back end (Tomcat) prematurely leading to response mixups. This is reported as bug CVE-2012-3502 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3502) of Apache and fixed in Apache 2.4.3 (see http://www.apache.org/dist/httpd/CHANGES_2.4). The 2.2.x branch hasn't shown this problem only the 2.4.x branch has.

See Also

Method 1 - redirecting with IP tables

This is known to work on Red Hat Enterprise Linux 3 and other similar versions of GNU/Linux. Use the iptables utility to redirect requests on the default ports to the higher-numbered ports where the DSpace servlet container is actually listening.

This allows you to use a pure Java servlet container such as Jetty or Apache Tomcat as the actual Web web server.

See your system's documentation for the iptables and iptables-save commands for more information.

...

Configure your Java Servlet container to listen to ports 8080 and 8443 for HTTP and HTTPS connections, respectively.

Method 1b - Write your own iptables config file

Here is an expanded example:
edit the /etc/sysconfig/iptables file (make a backup of this file first!)

...

Code Block
/usr/bin/openssl pkcs12 -export -out keystore.pkcs12 -in ./server.crt -inkey ./server.key

* Then change the ownership on

...

Code Block
keystoreFile="/usr/local/jakarta-tomcat-5.0.27/conf/ssl.new/keystore.pkcs12"
keystoreType="PKCS12"
keystorePass="changeit"

* Restart tomcat

Method 2a - Use Apache HTTPD (mod_proxy_ajp) + Tomcat (port 8009)

This assumes you have the following working:

...

By convention, web-servers listen on port 80 to deliver content such as static html files. So that web browsers can

Code Block
 ## use the more familiar url
 http://www.dspace-instance.org

 ## instead of....
 http://www.dspace-instance.org:8080/jspui
 http://www.dspace-instance.org:8080/xmlui

  • Set Tomcat to serve up DSpace by default

...

  1. You'll need to reload or restart the httpd service
  2. The "!" <bang> sets Apache web-server to NOT REDIRECT everything under /do_not_touch

Method 2b - use Apache HTTPD / Tomcat connector (mod_jk)

Run Apache HTTPD as a front-end for Tomcat, see
the mod_jk wiki page
This is tricky to set up, but secure.

Method 3 - use Apache to redirect requests to Tomcat on port 8080

For RedHat LINUX server:

In /etc/httpd/conf/httpd.conf:

...

Code Block
<body>
<jsp:forward page="HelloWorld.jsp"/>

3. Edit: ../ROOT/WEB-INF/web.xml, disable the following text as follows:

Code Block
<!-- JSPC servlet mappings start
<servlet>
<servlet-name>org.apache.jsp.index_jsp</servlet-name>
<servlet-class>org.apache.jsp.index_jsp</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>org.apache.jsp.index_jsp</servlet-name>
<url-pattern>/index.jsp</url-pattern>
</servlet-mapping>
-->

4. Re-start tomcat

Method 4 - Use Tomcat's jsvc daemon

Note: Only works for Unix like platforms.
This documentation is based on Solaris 10 using the Solaris Service Management Facility.
See http://jakarta.apache.org/commons/daemon/jsvc.html
for more details

  1. Download and install Tomcat from jakarta.apache.org
  2. Compile jsvc
    • export JAVA_HOME=/usr/java
    • cd $CATALINA_HOME/bin
    • gunzip jsvc.tar.gz && tar -xvf jsvc.tar
    • ./configure
    • gmake
    • cp jsvc ..
    • cd ..
    • chown tomcat:tomcat jsvc
    • rm -rf jsvc-src
  3. Setup your Service Management Facility process
    1. create the following file: /lib/svc/method/dspace

      Code Block
      #!/bin/sh
      . /lib/svc/share/smf_include.sh
      JAVA_HOME=/usr/java
      JAVA_OPTS="-Xmx512M -Xms64M -Dfile.encoding=UTF-8"
      CATALINA_HOME=<where tomcat is installed>
      DAEMON_HOME=<where tomcat is installed>
      TOMCAT_USER=tomcat
      TMP_DIR=/var/tmp
      PID_FILE=/var/run/txspace.pid
      CATALINA_BASE=<where tomcat is installed>
      CLASSPATH=$JAVA_HOME/lib/tools.jar:$CATALINA_HOME/bin/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar
      start()
      {
      $DAEMON_HOME/bin/jsvc -user $TOMCAT_USER -home $JAVA_HOME -Dcatalina.home=$CATALINA_HOME \
      -Dcatalina.base=$CATALINA_BASE -Djava.io.tmpdir=$TMP_DIR -wait 10 -pidfile $PID_FILE \
      -outfile $CATALINA_BASE/logs/catalina.out -errfile '&1' -Xms256m -Xms1024m \
      -cp $CLASSPATH org.apache.catalina.startup.Bootstrap
      }
      stop()
      {
      $DAEMON_HOME/bin/jsvc -stop -pidfile $PID_FILE org.apache.catalina.startup.Bootstrap
      }
      case "$1" in
      'start')
      echo "Starting Tomcat"
      start
      ;;
      'stop')
      echo "Stopping Tomcat"
      stop
      ;;
      'refresh')
      echo "Restarting Tomcat"
      stop
      start
      ;;
      *)
      echo "Usage tomcat.sh start/stop/refresh"
      exit 1;;
      esac
      exit $SMF_EXIT_OK
      
      
    2. Create the profile: /var/svc/manifest/application/dspace.xml

      Code Block
      <?xml version="1.0"?>
      <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
      <service_bundle type='manifest' name='dspace'>
      <service name='application/dspace' type='service' version='1'>
      
      <create_default_instance enabled='true'/>
      <single_instance/>
      
      <dependency name='loopback' grouping='require_all'
      restart_on='error' type='service'>
      <service_fmri value='svc:/network/loopback:default'/>
      </dependency>
      <dependency name='physical' grouping='require_all'
      restart_on='error' type='service'>
      <service_fmri value='svc:/network/physical:default'/>
      </dependency>
      <exec_method type='method' name='start'
      exec='/lib/svc/method/txspace start'
      timeout_seconds='60' />
      <exec_method type='method' name='stop'
      exec='/lib/svc/method/txspace stop'
      timeout_seconds='5' />
      <exec_method type='method' name='refresh'
      exec='/lib/svc/method/txspace refresh'
      timeout_seconds='5' />
      <stability value='Unstable' />
      <template>
      <common_name>
      <loctext xml:lang='C'>DSpace</loctext>
      </common_name>
      <documentation>
      <manpage title='dspace' manpath='/opt/apps/man' section='8' />
      <doc_link name='tomcat.apache.org'
      uri='http://tomcat.apache.org' />
      </documentation>
      </template>
      </service>
      </service_bundle>
      </code>
      
      

      3. Now import the profile

      Code Block
      /usr/sbin/svccfg import /var/svc/manifest/application/dspace.xml
      

...

Code Block
/usr/sbin/svcadm enable dspace

 Method 5 - Tomcat on low ports natively with authbind 

See: