Sunday, September 06, 2009

Bye-bye, Apache. I won't miss you.

You've got an Enterprise Application Server — a GlassFish. At some cases it outperforms Apache, at some cases it is just equal. Yet, you out of luck to use it fully, just because you need running it on a port 80/443. You do not want to run GlassFish as a root user. On the other hand, running Apache or nginx (or whatever else) in front of it as a proxy is an ugly hack and unnecessary component in a front.

Interested to get a cure for this? OpenSolaris is your answer. :-)

Here what you need to do:
1. Wipe away your FreeBSD or Linux because these are impotent to do so (also good riddance anyway because at least for starter, Solaris Zones and ZFS and D-Trace just rules).
2. Install OpenSolaris (if you still want Linux — well, fsck your ext3 and just skip this blog entry).
3. Add a user, let's say "appserv", and disable login.
4. Modify its permissions this way:

usermod -K defaultpriv=basic,net_privaddr appserv

Now "appserv" user has permissions to run GlassFish on a 80/443 port, while be completely non-root. That's all, folks!

One more thing: Apache on your Linux usually runs from root anyway, then just drops privileges. It is much more secure, if your GlassFish runs within Solaris Zone and not as root from the very beginning.

No comments: