Fog Creek Software
Discussion Board




SSL Port - is it always 443

I am using Tomcat to launch a Web Application.

If I use Port 8080, then users will have to enter the port number in the URL as well - i.e. 'www.abc.com:8080'

At the moment I use port 80 so when users access the web application they just have to type the URL i.e. 'www.abc.com'.

If I would like the connection users have to the server to be in SSL - will I have to make users access the site via the URL 'www.abc.com:443'?

Don Quixote
Wednesday, April 07, 2004

Not precisely.

http://www.abc.com/ defaults to unencrypted on port 80.

https://www.abc.com/ defaults to encrypted on port 443.

You can't forget to change the protocol. If you want to use a non-default port, both http and https URLs support the :port option.

Brad Wilson (dotnetguy.techieswithcats.com)
Wednesday, April 07, 2004

In addition, you can put some code in the default page for you site that users accessing the unencrypted site "www.abc.com" are automatically redirected to the encypted version "https://www.abc.com"

Almost Anonymous
Wednesday, April 07, 2004

It's not quite that easy. You can't bind to a port (generally) under 1024 unless it's run as a super user. It's best not to run things such as tomcat as a super user, for security reasons. That means an exploit in tomcat gives root/Administrator on the whole machine. Big no no.

fw
Thursday, April 08, 2004

The "work-around" that's used is a small super-user run daemon that then forwards the connections to non-priviledged code. Then, only the daemon needs to be hardened against any attacks of priviledge elevation.

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, April 08, 2004

yeh, it would depend on the setup.

For example, if you're using NAT for your external IP address, just port forwarding, there's no reason why you can't forward to a different port. So if the request is for abc.com:80, you could just forward to 192.168.x.x:8080 anyway.

Also, if you're using tomcat, you could use mod_jk to forward requests, which also offers failover and load balancing for your tomcats. Of course having one webserver forwarding these isn't good either ;p

fw
Thursday, April 08, 2004

*  Recent Topics

*  Fog Creek Home