[wildfly-dev] Using Wildfly as a load balancer
Jorge Solórzano
jorsol at gmail.com
Sat Jan 17 09:27:22 EST 2015
Is authbind or privbind a good alternative? it probably has the same effect
of setcap but with a little more security.
It seems the best choice is iptables.
Jorge Solórzano
http://www.jorsol.com
On Fri, Jan 16, 2015 at 9:31 PM, Jason T. Greene <jason.greene at redhat.com>
wrote:
>
> > On Jan 16, 2015, at 5:37 PM, denstar <valliantster at gmail.com> wrote:
> >
> > On 01/16/2015 04:19 PM, Jason Greene wrote:
> > ...
> > [snip helpful example rules]
> >>
> >> B. Using setcap to grant perms for java to bind lower ports:
> >
> > FWIW, this would open things up for Java in general, so while it should
> > perform better, it'll also be a little more risky, which may or may not
> > be a concern.
>
> Right all Java code using this JVM would have access to binding *all
> ports* (e.g a Java program could bind say the ssh port (assuming it's not
> running) and sniff passwords). So it would be a good idea to have a
> dedicated JVM just for WildFly and to limit the execution permission to
> just a dedicated WildFly user. That way you ensure only the wildfly process
> can bind these ports.
>
> Alternatively, you could use something like docker which automates
> capability assignment and provides some extra isolation. It's overkill
> though if the only thing running on a box is a wildfly process.
>
> Just a note that you will still get fantastic performance with iptables
> port forwarding since the particular rule is completely stateless, and the
> action is just to modify the packet in memory. It's only extreme scenarios
> where that overhead is worth avoiding.
>
> -Jason
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20150117/1c2e71d4/attachment.html
More information about the wildfly-dev
mailing list